19 Sep GUEST BLOG: Ransomware Investigations for Impacted Healthcare Entities
by: Jason Rebholz, Director at The Crypsis Group
In July of 2016, the HHS Office for Civil Rights (“OCR”) released updated guidance on how healthcare entities should respond to ransomware infections. The updated guidance introduced a presumption of a breach unless the entity can show there was a low probability that Protected Health Information (“PHI”) had been compromised. This is not something that an entity should try to answer alone. If a ransomware infection occurs, entities should engage with external counsel and a qualified incident response or forensics firm to conduct analysis with an objective of determining whether PHI data was compromised. The following case study helps to illustrate the appropriate response to a ransomware infection for a healthcare entity.
In August of 2016, a large medical practice noticed that they were unable to access their locally hosted Electronic Medical Record (“EMR”) application. Upon closer inspection, they noticed that files on the EMR application server were encrypted. This included supporting files for the EMR application which caused the application to crash and no longer start. The desktop background on the system had also been changed to an image containing instructions on how to decrypt the files. The healthcare entity determined they needed help and contacted external counsel and The Crypsis Group.
Given that the impacted system hosted PHI data, it was critical to establish whether the attack was just a ransomware infection or whether additional malicious activity occurred. To make that assessment, the investigation focused on determining the following:
- What was the initial attack vector?
- How did the threat actor gain access to the environment?
- How did the ransomware get installed on the system(s)?
- What actions occurred in the system(s) that the threat actor interacted with?
- Did the threat actor place additional malware or files on the system?
- Did the threat actor access additional systems?
- What capabilities did the ransomware have?
- Was there a backdoor component that would have allowed the threat actor additional access?
- Did the ransomware install additional malware?
- Did the threat actor access PHI data?
- Is there evidence that the threat actor accessed, collected, or exfiltrated PHI data?
Summary of the Attack
The investigation into the ransomware infection identified the following activity:
- A threat actor gained access to the environment by brute forcing weak credentials for a service account. The server allowed Remote Desktop Protocol (“RDP”) connections from the Internet; did not require multi-factor authentication, and did not have an account lockout policy.
- Once authenticated to the system, the threat actor downloaded and installed mass emailer software. The threat actor then sent phishing emails that mimicked popular websites to a pre-populated list of email addresses.
- One week after sending the phishing emails, the threat actor accessed the system again using RDP and downloaded a ZIP archive that contained the ransomware. After extracting the ZIP archive, the threat actor executed the ransomware on the system.
- The ransomware did not contain any additional functionality outside of encrypting files on the system.
- The investigation did not find evidence that showed lateral movement from the original server.
- The investigation did not find evidence of any access, collection, or exfiltration of data that resided on the server.
Based on the facts identified during the investigation, we determined that the threat actor did not access PHI data that resided on the server. This was only possible through a thorough forensic analysis of the system. Crypsis provided external counsel the findings which allowed them to complete a risk assessment and ultimately rule out the requirement to report a breach.
Threat actors are able to identify and exploit the smallest of security gaps in your environment. Although there is no single solution that that will prevent every attack, organizations should embrace multiple layers of security to mitigate the impact of future incidents. The following lessons learned were common themes observed across the ransomware victims that could have mitigated the impact of the incident:
- Ensure remote access requires multi-factor authentication: All remote access to your environment should require multi-factor authentication. This small fix significantly increases the security posture of organizations.
- Ensure systems are continuously patched: When it comes to ransomware, threat actors are playing a numbers game. Rather than focus all efforts on a single target, threat actors trying to deploy ransomware try to find the lowest hanging fruit across the widest audience. Threat actors will look for weaknesses in both external and internal systems. Organizations should ensure they are continuously patching systems, services, and third-party applications.
- Ensure end-users do not have administrative privileges: Removing administrative privileges from end-users can reduce the ability for malicious files to execute on their systems and limit potential lateral movement to other systems in the organization’s environment.
- Have a robust business continuity plan: Ensure that the organization has an actionable plan in place to restore data and services for the most important systems and applications. The plan should cover how to prioritize data recovery in the event of a widespread issue.
To learn more about OCR’s updated guidance and hear an in-depth case study on ransomware, our friends at The Crypsis Group are having a webinar soon. Visit this link to sign up.