Ransomware Targeting Healthcare and Public Health Sector

As ransomware activity becomes even more prevalent in our day-to-day lives, hackers and ransomers are heavily targeting the Healthcare and Public Health Sector.

CISA and the FBI, along with the Department of Health and Human Services, recently released an advisory describing the tactics, techniques, and procedures that are typically used by cybercriminals against targets in the Healthcare and Public Health Sector to infect systems with ransomware, notably Ryuk and Conti, for financial gain.

So, how do we detect these threats? How do they detect these threats? CISA, FBI, and HHS assess malicious cyber actors that are targeting the HPH Sector with TrickBot and BazarLoader malware, often leading to ransomware attacks, data theft, and the disruption of healthcare services. Within the Healthcare and Public Health Sectors, these issues will be particularly challenging for organizations affected by the COVID-19 pandemic (which is pretty much everyone). Administrators will need to assess this risk when determining their cybersecurity investments.

Many organisations are to the point where they are asking themselves:

“How do we prevent this from happening to us?”
Or, in a more unfortunate scenario: “How did we let this happen to us?”
And: “What do we do now?”
In both scenarios, we can help you not only detect, protect, and prevent potential attacks, but also give you the tools to restore your organization back to its normal production state (even if you are already under attack). We do that by implementing CryptoSpike.
By utilizing your existing native snapshots, CryptoSpike uses a multi-pronged approach consisting of a Block List, an Allow List and a Pattern learner module to better protect your environment. It also detects immediate day-one threats, so that you know exactly where and on what user profile or device a potential attack took place, without having to do a full rollback or restore. With CryptoSpike you only restore the infected file(s) back to their last known good state within seconds. This cuts down on time and resources tremendously by detecting, preventing, and allowing recovery from a ransomware attack within seconds to minutes. CryptoSpike is also very affordable and easy to deploy, so it not only keeps things costefficient but also makes it easy for you and your teams to deploy and monitor.
During a typical attack, (as laid out in the CISA/FBI advisory) TrickBot creators, “which are likely also the creators of BazarLoader malware, have continued to develop new functionality and tools, increasing the ease, speed, and profitability of victimization.” “These threat actors increasingly use loaders—like TrickBot and BazarLoader (or BazarBackdoor)—as part of their malicious cyber campaigns. Cybercriminals disseminate TrickBot and BazarLoader via phishing campaigns that contain either links to malicious websites that host the malware or attachments with the malware. Loaders start the infection chain by distributing the payload; they deploy and execute the backdoor from the command and control (C2) server and install it on the victim’s machine.”
This is where access transparency comes in. Providing you with the understanding of which users accessed what data, when, and how often, is very important. Since CryptoSpike is monitoring all user file access, it is ideally suited to track and deliver this information. With CryptoSpike, you can easily examine user behavior down to the level of files and folders. Reports will show you user activity in terms of file opens, closes, deletes, writes and so on. This will provide you with definitive information that a volume, folder, file, etc. was accessed by a given user. CryptoSpike works together with the NetApp FPolicy server, which is required. The FPolicy server will enforce the blocking decisions made by CryptoSpike. For example, if ransomware is detected by the Learner module, the relevant user will be changed to having read-only access, which stops them from further spreading the ransomware. CryptoSpike lets you know which files have been affected, allowing you to do targeted recoveries, rather than having to roll-back an entire folder. Meanwhile, CryptoSpike provides a list of infected files, allowing you to perform targeted recovery from NetApp snapshots. CryptoSpike is licensed out per controller-node with pricing tiered out by system size according to the NetApp model number. There are no capacity limitations in terms of total storage, number of files, or number of users, making CryptoSpike licensing very easy to manage.
US Ransomware Attacks Doubled in Q3; Healthcare Sector Most Targeted
New Check Point research examines the ransomware threat landscape for Q3 2020, noting a 50 percent increase in daily attacks. The healthcare sector is the most targeted globally.
CISA, FBI and HHS do not recommend paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. In addition to implementing the above network best practices, the FBI, CISA and HHS also recommend the following:
  • Regularly back up data, air gap, and password protect backup copies offline.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.”
Here at Catalogic, we will help you with that recovery plan, but also with a plan of prevention and protection with CryptoSpike. Being able to see what’s going on within your environment is crucial, especially within the Healthcare and Public Health Sector. Please make sure you have a plan in place, and please feel free to reach out to us any time. We’re here to help.
To learn more about CryptoSpike – Ransomware Protection for NetApp, click here.

Let us show you around