Expert Comment on Irish Health Service Ransomware Attack

As we saw with the tragic ransomware attack on the Düsseldorf University Hospital last year, the threats targeting healthcare organisations can have an impact on patient health as well as IT systems. This latest incident highlights that the healthcare sector continues to be a prime target for attacks like these, and unfortunately, I expect this to continue. For the next few hours damage control will be critical to ensuring the welfare of the organisation’s patients and the IT infrastructure that helps care for them.

Such attacks are a reminder of the importance of backing up files regularly and that the systems used for this must be tested regularly. If the worst is to happen and ransomware gains a foothold in an IT environment, then an effective back up strategy will aid post-attack recovery. It can potentially allow organisations to minimise downtime disruptions to their operations and possibly prevents them from needing to pay the ransom.

Another way to minimise the impact of ransomware attacks is to ensure staff are trained to look out for potentially malicious links in emails. It’s not correct to think that everyone already understands and follows this advice as many successful ransomware attacks begin in this way. My message is that you can’t always stop a sophisticated cyber-attack, but by having a good standard of IT hygiene and training in place you can certainly make it more difficult for the attackers to be successful.

Ireland’s health service being closed down due to a ransomware attack signals yet another attack on critical infrastructure. At a time when healthcare has been under immeasurable pressure, it’s clear cyber criminals won’t hold back no matter what disruption is caused.

Outdated IT systems stand little chance against these attacks, which are becoming increasingly sophisticated in nature. A simple click on a link or web pop-up is enough to let the hackers in and bring everything to a standstill.

Organisations must implement multiple security controls, enlisting the help of technologies such as AI which can help identify vulnerabilities. This is critical to reduce the risk or ransomware and other malicious malware threats.

Ransomware gangs are becoming gradually more organized and efficient. They carefully select and purposely target those organizations with no viable choice but to pay the ransom, oftentimes, targeting the most vulnerable organizations and businesses. Untraceable payments in cryptocurrencies grant virtual impunity to the attackers.

Western law enforcement agencies are largely understaffed and underfunded to tackle the surging wave of ransomware, while legislators rather try to address the consequence rather than dealing with a root cause of the problem such as missing cybersecurity hygiene and ignorance of foundational best practices.

International collaboration in judicial prosecution and investigation of cybercrime is probably hitting its bottom in 2021 because of the growing political tensions. Eventually, we will probably observe a flat ban of some cryptocurrencies or a regulatory overkill that will push into bankruptcy many crypto stock exchanges and related businesses. Last year OFAC made it crystal-clear that paying a ransom may constitute a violation of sanctions and trigger legal ramifications for the victims who pay criminals to get their data back. Today, the recent probe of Binance, commenced by the US DoJ and the IRS, unambiguously evidences that the US government is serious about curbing now-unregulated crypto markets. Booming ransomware is a perfect reason to justify it. 

Healthcare organisations have been a major target since the start of the pandemic, and as a result need to ensure they take every precaution necessary to protect patient data. Hundreds of hospitals, medical offices, and imaging centres have contributed to over a billion exposed records; Ireland's health service, the Health Service Executive, has become one of many.

The rapid digitisation of patient records means it’s been very difficult to implement consistent data security policies and training schemes to educate staff on keeping data safe. As healthcare organisations make patient data more accessible to individuals and new systems, they must make information security their top priority.

Strategic investments in cybersecurity will make a significant impact on protecting healthcare businesses against cyber security risks, which will potentially save billions in the long run. To prevent future ransomware attacks and safeguard highly sensitive information, organisations must have full visibility and control over their data. This can be accomplished by leveraging multi-faceted solutions that defend against malware on any endpoint, enforce real-time access control, detect misconfigurations, encrypt sensitive data at rest, and prevent data leakage. What’s more, healthcare organisations need to ensure adequate employee training to protect from ransomware. Employees must be able to identify phishing attempts and illegitimate emails, which is the primary vector for ransomware attacks.

The success of this ransomware campaign is concerning for so many reasons. Previous attacks such as WannaCry in 2017, which cost the NHS £92million and saw 19,000 appointments cancelled, are a stark reminder of the consequences this kind of cyberattack can have. They're callous, and what's devastating is that they can lead to the loss of life.

Ransomware typically starts on endpoint devices. But, of course, encrypting one device isn’t going to cause sufficient disruption or compel businesses to pay the ransom attackers are after. Instead, they use these devices as a gateway to move throughout the network to encrypt the files, applications and systems that matter most to businesses. This move from the endpoint to the network is integral to attackers’ strategies – and is also the point where healthcare providers can break that chain and prevent these attacks from spreading.

Taking a proactive approach that protects privileged access to those files and systems that matter most is key. This helps stop attackers in their tracks by keeping these events contained to the initial infection point -- making them much less effective and minimising the potential damage.

The ransomware variant is reported to resemble “Conti”. This is a ransomware tool that has been in operation since at least December 2019 and is believed to be derived from the “Ryuk” ransomware variant. Conti is often deployed using the “TrickBot” infrastructure. Conti is designed to be operated by the attacker, rather than via an automated process, and it contains unique features that allow a more targeted and quicker attack. Conti’s ransomware operations have targeted a wide variety of sectors globally, which include construction, manufacturing, and retail.

We would recommend that businesses increase vigilance of their environment, ensuring firewalls, IDS/IPS and AV solutions are monitored for any malicious activity; servers and applications are patched and consideration is given to disabling external RDP functionality or SMB.

Sadly, the higher the criticality and business or human impact an attack has, the more likely the victim is to pay. Healthcare organisations are at the top of the human impact chain, but they are also very vulnerable to cyber attacks as they often don’t have significant IT security budgets to invest in the most comprehensive protection capabilities. SecOps teams are doing their best to prevent breaches but they are under constant attack from highly sophisticated threats.

The consequences of these attacks can impact healthcare workers and their patients who need treatments. These attacks can cause delays to the encrypted machines, cause the medical equipment healthcare workers use to stop working, and make potential life saving equipment inaccessible.

The SecOps teams will have to identify the ransomware. Not only will they have to triage the infected machines, but they will also need to stop the lateral spread, likely using multiple tools, and consoles but with limited resources.

The best protection against attacks such as this one is a multi-layered approach using a variety of solutions. A “prevention-first” mindset is also key - attacks need to execute and run before they are picked up and checked to see if they are malicious, sometimes taking as long as 60 seconds or more. When dealing with an unknown threat, 60 seconds is too long to wait for an analysis. Organisations need to invest in solutions that use technology such as deep learning which can deliver a sub-20 millisecond response time to stop a ransomware attack, pre-execution, before it can take hold.

Ransomware attacks have slowed over the past few years, but threat actors are much more strategic in their attacks and ransom demands have skyrocketed. Threat actors are criminals, money grubbers and in attacks on critical infrastructure they are committing cyber terrorism. Cybereason advises against paying ransoms, but this is a very personal decision for a company. In life and death situations or because of a national emergency, it could be in the best interest of the company to pay. Before you make that decision, make sure your company’s legal counsel and insurer are involved. And notify law enforcement of the situation.

With news reports claiming Colonial Pipeline paid a $5 million ransom to DarkSide, more attacks are coming from emboldened threat actors. Will ransom demands hit a ceiling at $10 million, $100 million, $1 billion? It is simply never a good idea to pay criminals or terrorists.

Ransomware is preventable and it requires a mature security program on your network to stop it. Install endpoint detection and remediation software on your endpoints to stop the threat. A leading analyst firm recently published statistics showing that only 40 percent of endpoints had endpoint detection software installed on them. To overcome the scourge of ransomware this number will need to increase significantly."

Over the past few months, we’ve seen ransomware attacks crippling hospital IT systems in France, Spain and now Ireland. Hospitals are susceptible to getting caught in the crossfire of large-scale attacks because many have vulnerabilities in networks and devices that are connected to the internet and it's difficult to prevent against users clicking on phishing links. This is what ransomware relies on.

Ransomware attacks are typically the final step in a chain of events leading to a compromised computer network. In order to prevent critical infrastructure like healthcare institutions from widespread disruption, they must secure their networks and have online and offline backups in place to restore any loss of important data. When an organisation is hit by ransomware, the five steps to take would be to:

1. Isolate the affected systems

2. Identify and secure backup options

3. Collect log information and conduct forensics where needed;

4. Attempt to identify the ransomware strain (Check No More Ransom) and see if there is a decryption key available;

5. Contact law enforcement and decide on how to proceed.

Moving forward, they should also create an incident response plan which can help them conduct triage and provide not only rapid response capability for security incidents, but also help establish an incremental improvement path. This’ll take time but it’s a critical process, otherwise the door will remain open for the same thing to happen again in the future. Unfortunately, we see a rise in successful attacks because Ransomware is being run as a service to cybercriminals, which increases both the sophistication and ease of launching an attack. We need national coordination to improve our defenses in critical infrastructure and international cooperation to take down these cybercriminal operations.

Ransomware attacks are on the rise and evolving into a very dangerous digital weapon. Not only are they on the rise but they are becoming more successful, more damaging and the ransom demands are increasing into tens of millions of dollars.  Ransomware and data theft continues to be the biggest threats to organizations around the world and no one is immune. It is clear that cybercrime groups are not above targeting the healthcare sector or critical infrastructure with ransomware, making them no longer just digital thieves but now digital terrorists. When your motive is financial that is one thing, but when you put people’s lives at risks it is a serious impact to society. Cybercrime groups have to realise that targeting healthcare or critical infrastructure during a global pandemic will result in unnecessary deaths.  If you do become a victim of Ransomware, you typically only have a few choices and one of them is to decide on whether to pull the plug on the systems and network which appears to have been the decision on recent ransomware victims.

Ransomware attacks against any organisation can have serious consequences, but in the case of healthcare services, any downtime could cause real harm to real people in need of medical treatment. Unfortunately, healthcare systems include a lot of legacy infrastructure which is difficult or sometimes impossible to patch, making those systems a soft target.

The HSE acted extremely quickly and the response of taking systems offline whilst the extent of the attack is fully investigated and understood is vital to containing it, despite the obvious concern and unease this will cause for patients.

Attacks against the Healthcare sector are abhorrent and we hope that Ireland’s health service can recover as quickly as possible to minimise the damage and risk to life. Since 2019, the Healthcare sector has seen a shift from breaches caused by Internal actors to primarily External actors. Healthcare now matches the trend seen in other sectors and reflects how, in recent years, human-operated ransomware has become a prevalent and an impactful threat to organisations worldwide.

A proactive approach is essential to prepare for compromise and all organisations should consider the steps necessary to enable a more a more agile, responsive and effective defensive posture before it's too late.