Ransomware Targeting Healthcare and Public Health Sector

As ransomware activity becomes even more prevalent in our day-to-day lives, hackers and ransomers are heavily targeting the Healthcare and Public Health Sector.

CISA and the FBI, along with the Department of Health and Human Services, recently released an advisory describing the tactics, techniques, and procedures that are typically used by cybercriminals against targets in the Healthcare and Public Health Sector to infect systems with ransomware, notably Ryuk and Conti, for financial gain.

So, how do we detect these threats? How do they detect these threats? CISA, FBI, and HHS assess malicious cyber actors that are targeting the HPH Sector with TrickBot and BazarLoader malware, often leading to ransomware attacks, data theft, and the disruption of healthcare services. Within the Healthcare and Public Health Sectors, these issues will be particularly challenging for organizations affected by the COVID-19 pandemic (which is pretty much everyone). Administrators will need to assess this risk when determining their cybersecurity investments.

Many organisations are to the point where they are asking themselves:

“How do we prevent this from happening to us?”
Or, in a more unfortunate scenario: “How did we let this happen to us?”
And: “What do we do now?”
In both scenarios, we can help you not only detect, protect, and prevent potential attacks, but also give you the tools to restore your organization back to its normal production state (even if you are already under attack). We do that by implementing CryptoSpike.
By utilizing your existing native snapshots, CryptoSpike uses a multi-pronged approach consisting of a Block List, an Allow List and a Pattern learner module to better protect your environment. It also detects immediate day-one threats, so that you know exactly where and on what user profile or device a potential attack took place, without having to do a full rollback or restore. With CryptoSpike you only restore the infected file(s) back to their last known good state within seconds. This cuts down on time and resources tremendously by detecting, preventing, and allowing recovery from a ransomware attack within seconds to minutes. CryptoSpike is also very affordable and easy to deploy, so it not only keeps things costefficient but also makes it easy for you and your teams to deploy and monitor.
During a typical attack, (as laid out in the CISA/FBI advisory) TrickBot creators, “which are likely also the creators of BazarLoader malware, have continued to develop new functionality and tools, increasing the ease, speed, and profitability of victimization.” “These threat actors increasingly use loaders—like TrickBot and BazarLoader (or BazarBackdoor)—as part of their malicious cyber campaigns. Cybercriminals disseminate TrickBot and BazarLoader via phishing campaigns that contain either links to malicious websites that host the malware or attachments with the malware. Loaders start the infection chain by distributing the payload; they deploy and execute the backdoor from the command and control (C2) server and install it on the victim’s machine.”
This is where access transparency comes in. Providing you with the understanding of which users accessed what data, when, and how often, is very important. Since CryptoSpike is monitoring all user file access, it is ideally suited to track and deliver this information. With CryptoSpike, you can easily examine user behavior down to the level of files and folders. Reports will show you user activity in terms of file opens, closes, deletes, writes and so on. This will provide you with definitive information that a volume, folder, file, etc. was accessed by a given user. CryptoSpike works together with the NetApp FPolicy server, which is required. The FPolicy server will enforce the blocking decisions made by CryptoSpike. For example, if ransomware is detected by the Learner module, the relevant user will be changed to having read-only access, which stops them from further spreading the ransomware. CryptoSpike lets you know which files have been affected, allowing you to do targeted recoveries, rather than having to roll-back an entire folder. Meanwhile, CryptoSpike provides a list of infected files, allowing you to perform targeted recovery from NetApp snapshots. CryptoSpike is licensed out per controller-node with pricing tiered out by system size according to the NetApp model number. There are no capacity limitations in terms of total storage, number of files, or number of users, making CryptoSpike licensing very easy to manage.
US Ransomware Attacks Doubled in Q3; Healthcare Sector Most Targeted
New Check Point research examines the ransomware threat landscape for Q3 2020, noting a 50 percent increase in daily attacks. The healthcare sector is the most targeted globally.
CISA, FBI and HHS do not recommend paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. In addition to implementing the above network best practices, the FBI, CISA and HHS also recommend the following:
  • Regularly back up data, air gap, and password protect backup copies offline.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.”
Here at Catalogic, we will help you with that recovery plan, but also with a plan of prevention and protection with CryptoSpike. Being able to see what’s going on within your environment is crucial, especially within the Healthcare and Public Health Sector. Please make sure you have a plan in place, and please feel free to reach out to us any time. We’re here to help.
To learn more about CryptoSpike – Ransomware Protection for NetApp, click here.

Read More
12/11/2020 0 Comments

Smart Data Protection at a More Affordable Costs

While we all continue navigating the ever-changing world of data protection, we’re always searching for better data protection at more affordable costs, while still maintaining necessary security and compliances. At Catalogic, we do exactly that. We provide you with an array of data protection product options to help fit your environment’s needs. For example, our NetApp product options of Cryptospike and Restore Manager provide you with a more in-depth look at your environment from the data protection and search and restore analytics perspective.

Cryptospike is ransomware protection for NetApp, but it’s also so much more. Cryptospike provides you with real-time detection, prevention, and recovery capabilities for your NetApp file environments. By utilizing your existing native snapshots, Cryptospike uses a multi-pronged approach consisting of a Black list, a White list and a Pattern learner module to better protect your environment. It also detects immediate day-one threats, so that you know exactly where and on what user profile or device a potential attack took place, and without having to do a full rollback or restore.

With Cryptospike you only restore the infected file or files back to their last known good state within seconds. This cuts down on time and resources tremendously by being able to detect, prevent and recover from a ransomware attack within seconds to minutes, and it doesn’t hurt the bank either.
Another aspect of overall data security is data access transparency: understanding which users accessed what data, plus when and how often. Since CryptoSpike is monitoring all user file access, it is ideally suited to track and deliver this information. With CryptoSpike, you can easily examine user behavior down to the level of files and folders. Reports will show you user activity in terms of file opens, closes, deletes, writes and so on. This will provide you with definitive information that a volume, folder, file, etc. was accessed by a given user. CryptoSpike works together with the NetApp FPolicy server, which is required. The FPolicy server will enforce the blocking decisions made by CryptoSpike. For example, if ransomware is detected by the Learner module, the relevant user will be changed to having read-only access, which stops them from further spreading the ransomware. CryptoSpike lets you know which files have been affected, allowing you to do targeted recoveries, rather than having to roll-back an entire folder. Meanwhile, CryptoSpike provides a list of infected files, allowing you to perform targeted recovery from NetApp snapshots. Cryptospike is licensed out per controller-node with pricing tiered out by system size according to the NetApp model number. There are no capacity limitations in terms of total storage, number of files, or number of users, making Cryptospike licensing very easy to manage.

 

As important as ransomware protection is, so is having the ability to catalog, search and restore your files in a quick and easy fashion. Knowing what you have and being able to locate it in seconds when you need it, even if you have over billions of files, is huge. Catalogic has a solution for that as well, and this is where RestoreManager shines. RetoreManager is a scalable NetApp file catalog with an in-depth data analytics component. RestoreManager provides you with file-indexing, search and restore capabilities for your NetApp environment. With these capabilities, you’re able to utilize the multiple search filters to easily locate files, including name, type, file size, creation date, deletion date, and other search parameters.

As with Cryptospike, RestoreManager is very easy to use and highly scalable while giving you the option to restore your files to their original or alternate location. RestoreManager communicates to the systems via NetApp’s ONTAP SnapDiff protocol and supports all versions of the ONTAP operating system for NetApp primary storage systems. For NetApp SnapVault and SnapMirror targets, RestoreManager works with ONTAP and NetApp Cloud Backup (formerly AltaVault). RestoreManager uses the Elastic Search Database, an open-source solution that has excellent scalability, performance, load balancing and availability. Restore Manager is also licensed out per controller-node with pricing tiered according to the NetApp model number. Again, there are no capacity limitations in terms of users, total storage, or number of files.
Data protection is always extremely important, but so is being able to manage that data quickly, efficiently, and easily. What better way to do so than to have the ability to manage your storage array snapshots, replication and cloning processes all under one platform? Catalogic ECX is Copy Data Management (CDM) software that can bring modernization to an existing environment without disruption. ECX delivers “in-place” copy data management to enterprise storage arrays from IBM, NetApp, Pure Storage and HPE Nimble, allowing the IT team to make use of its existing infrastructure and data in a manner that is efficient, automated, scalable and easy to use. Catalogic ECX modernizes IT processes, enables key use cases, and does it all without additional hardware.

Organizations of all sizes need to modernize their IT processes to enable critical new use cases such as operational automation, DevOps and integration of system-of-record data with Cloud compute. They are equally challenged with improving management efficiencies for long-established IT processes such as data protection, disaster recovery, reporting, and test and development.

ECX from Catalogic automates the creation and use of copy data, snapshots, clones, and replicas on existing enterprise storage. This dramatically reduces the time spent on infrastructure management while improving reliability. By providing automation, user self-service and API-based operations without the need for any additional hardware, this frees up important IT resources. Being able to simplify the management of critical IT functions such as data protection and disaster recovery is extremely valuable for all environments. Automating the test and development of infrastructure provisioning reduces management time as much as 99%!

ECX also gives you the ability to Catalog and track IT objects, such as volumes, snapshots, virtual machines, datastores, etc.  ECX provides you with a more in-depth look into your copy data environment across the enterprise, including protection RPO/RTO compliance reporting. By fundamentally modernizing many common IT processes, ECX dramatically simplifies copy data management, enabling the automation and orchestration of data copies that can be leveraged across the enterprise and cloud for a variety of value-creating use cases. ECX is a very simple OVA deployment, is very easy to use and is licensed out per array. There are no limitations to the amount of storage capacity, number of users, number of files, or any other limits!

In addition to ECX, our other data protection product option provides you with excellent data protection options to round out your environment needs. Our DPX product is easy backup that works. It’s rapid, low-impact backup, instant recovery in place when you’re off-loading to tape, disk, or cloud. DPX provides robust backup and recovery capabilities. Our patented block-level protection reduces backup time and impact by 90%, for both physical and virtual servers. Files and applications are easily recovered directly from backup storage. You can have peace of mind that your data is reliably protected as per your Recovery Point Objectives (RPOs) and is there when you need it.

If you have any questions, please feel free to contact us. We would be happy to answer any of your questions and provide you with more information.

 

Read More
12/03/2020 0 Comments

Let us show you around


Data ProtectionData ManagementOpen VM BackupNetApp Ransomware ShieldNetApp File Catalog