Ransomware Targeting Healthcare and Public Health Sector

As ransomware activity becomes even more prevalent in our day-to-day lives, hackers and ransomers are heavily targeting the Healthcare and Public Health Sector.

CISA and the FBI, along with the Department of Health and Human Services, recently released an advisory describing the tactics, techniques, and procedures that are typically used by cybercriminals against targets in the Healthcare and Public Health Sector to infect systems with ransomware, notably Ryuk and Conti, for financial gain.

So, how do we detect these threats? How do they detect these threats? CISA, FBI, and HHS assess malicious cyber actors that are targeting the HPH Sector with TrickBot and BazarLoader malware, often leading to ransomware attacks, data theft, and the disruption of healthcare services. Within the Healthcare and Public Health Sectors, these issues will be particularly challenging for organizations affected by the COVID-19 pandemic (which is pretty much everyone). Administrators will need to assess this risk when determining their cybersecurity investments.

Many organisations are to the point where they are asking themselves:

“How do we prevent this from happening to us?”
Or, in a more unfortunate scenario: “How did we let this happen to us?”
And: “What do we do now?”
In both scenarios, we can help you not only detect, protect, and prevent potential attacks, but also give you the tools to restore your organization back to its normal production state (even if you are already under attack). We do that by implementing CryptoSpike.
By utilizing your existing native snapshots, CryptoSpike uses a multi-pronged approach consisting of a Block List, an Allow List and a Pattern learner module to better protect your environment. It also detects immediate day-one threats, so that you know exactly where and on what user profile or device a potential attack took place, without having to do a full rollback or restore. With CryptoSpike you only restore the infected file(s) back to their last known good state within seconds. This cuts down on time and resources tremendously by detecting, preventing, and allowing recovery from a ransomware attack within seconds to minutes. CryptoSpike is also very affordable and easy to deploy, so it not only keeps things costefficient but also makes it easy for you and your teams to deploy and monitor.
During a typical attack, (as laid out in the CISA/FBI advisory) TrickBot creators, “which are likely also the creators of BazarLoader malware, have continued to develop new functionality and tools, increasing the ease, speed, and profitability of victimization.” “These threat actors increasingly use loaders—like TrickBot and BazarLoader (or BazarBackdoor)—as part of their malicious cyber campaigns. Cybercriminals disseminate TrickBot and BazarLoader via phishing campaigns that contain either links to malicious websites that host the malware or attachments with the malware. Loaders start the infection chain by distributing the payload; they deploy and execute the backdoor from the command and control (C2) server and install it on the victim’s machine.”
This is where access transparency comes in. Providing you with the understanding of which users accessed what data, when, and how often, is very important. Since CryptoSpike is monitoring all user file access, it is ideally suited to track and deliver this information. With CryptoSpike, you can easily examine user behavior down to the level of files and folders. Reports will show you user activity in terms of file opens, closes, deletes, writes and so on. This will provide you with definitive information that a volume, folder, file, etc. was accessed by a given user. CryptoSpike works together with the NetApp FPolicy server, which is required. The FPolicy server will enforce the blocking decisions made by CryptoSpike. For example, if ransomware is detected by the Learner module, the relevant user will be changed to having read-only access, which stops them from further spreading the ransomware. CryptoSpike lets you know which files have been affected, allowing you to do targeted recoveries, rather than having to roll-back an entire folder. Meanwhile, CryptoSpike provides a list of infected files, allowing you to perform targeted recovery from NetApp snapshots. CryptoSpike is licensed out per controller-node with pricing tiered out by system size according to the NetApp model number. There are no capacity limitations in terms of total storage, number of files, or number of users, making CryptoSpike licensing very easy to manage.
US Ransomware Attacks Doubled in Q3; Healthcare Sector Most Targeted
New Check Point research examines the ransomware threat landscape for Q3 2020, noting a 50 percent increase in daily attacks. The healthcare sector is the most targeted globally.
CISA, FBI and HHS do not recommend paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. In addition to implementing the above network best practices, the FBI, CISA and HHS also recommend the following:
  • Regularly back up data, air gap, and password protect backup copies offline.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.”
Here at Catalogic, we will help you with that recovery plan, but also with a plan of prevention and protection with CryptoSpike. Being able to see what’s going on within your environment is crucial, especially within the Healthcare and Public Health Sector. Please make sure you have a plan in place, and please feel free to reach out to us any time. We’re here to help.
To learn more about CryptoSpike – Ransomware Protection for NetApp, click here.

Read More
12/11/2020 0 Comments

Smart Data Protection at a More Affordable Costs

While we all continue navigating the ever-changing world of data protection, we’re always searching for better data protection at more affordable costs, while still maintaining necessary security and compliances. At Catalogic, we do exactly that. We provide you with an array of data protection product options to help fit your environment’s needs. For example, our NetApp product options of Cryptospike and Restore Manager provide you with a more in-depth look at your environment from the data protection and search and restore analytics perspective.

Cryptospike is ransomware protection for NetApp, but it’s also so much more. Cryptospike provides you with real-time detection, prevention, and recovery capabilities for your NetApp file environments. By utilizing your existing native snapshots, Cryptospike uses a multi-pronged approach consisting of a Black list, a White list and a Pattern learner module to better protect your environment. It also detects immediate day-one threats, so that you know exactly where and on what user profile or device a potential attack took place, and without having to do a full rollback or restore.

With Cryptospike you only restore the infected file or files back to their last known good state within seconds. This cuts down on time and resources tremendously by being able to detect, prevent and recover from a ransomware attack within seconds to minutes, and it doesn’t hurt the bank either.
Another aspect of overall data security is data access transparency: understanding which users accessed what data, plus when and how often. Since CryptoSpike is monitoring all user file access, it is ideally suited to track and deliver this information. With CryptoSpike, you can easily examine user behavior down to the level of files and folders. Reports will show you user activity in terms of file opens, closes, deletes, writes and so on. This will provide you with definitive information that a volume, folder, file, etc. was accessed by a given user. CryptoSpike works together with the NetApp FPolicy server, which is required. The FPolicy server will enforce the blocking decisions made by CryptoSpike. For example, if ransomware is detected by the Learner module, the relevant user will be changed to having read-only access, which stops them from further spreading the ransomware. CryptoSpike lets you know which files have been affected, allowing you to do targeted recoveries, rather than having to roll-back an entire folder. Meanwhile, CryptoSpike provides a list of infected files, allowing you to perform targeted recovery from NetApp snapshots. Cryptospike is licensed out per controller-node with pricing tiered out by system size according to the NetApp model number. There are no capacity limitations in terms of total storage, number of files, or number of users, making Cryptospike licensing very easy to manage.

 

As important as ransomware protection is, so is having the ability to catalog, search and restore your files in a quick and easy fashion. Knowing what you have and being able to locate it in seconds when you need it, even if you have over billions of files, is huge. Catalogic has a solution for that as well, and this is where RestoreManager shines. RetoreManager is a scalable NetApp file catalog with an in-depth data analytics component. RestoreManager provides you with file-indexing, search and restore capabilities for your NetApp environment. With these capabilities, you’re able to utilize the multiple search filters to easily locate files, including name, type, file size, creation date, deletion date, and other search parameters.

As with Cryptospike, RestoreManager is very easy to use and highly scalable while giving you the option to restore your files to their original or alternate location. RestoreManager communicates to the systems via NetApp’s ONTAP SnapDiff protocol and supports all versions of the ONTAP operating system for NetApp primary storage systems. For NetApp SnapVault and SnapMirror targets, RestoreManager works with ONTAP and NetApp Cloud Backup (formerly AltaVault). RestoreManager uses the Elastic Search Database, an open-source solution that has excellent scalability, performance, load balancing and availability. Restore Manager is also licensed out per controller-node with pricing tiered according to the NetApp model number. Again, there are no capacity limitations in terms of users, total storage, or number of files.
If you have any questions, please feel free to contact us. We would be happy to answer any of your questions and provide you with more information.

 

Read More
12/03/2020 0 Comments

Let us show you around