Experts provide insight below on the cyberattack that took place on Universal Health Services in the early hours of Sunday morning.
This absolutely massive attack targeting UHS shows that even large national organisations can be taken down singlehandedly by ransomware gangs. Indeed, our offensive operations team often finds that the larger an organisation is, the easier it is to take complete control of their computer operations. Large organisation networks can quickly become exponentially complex as different teams and departments each deploy their own systems and applications, often without vetting by their internal security team. This gives attackers a huge attack surface to target. Very often it takes only a single misconfigured system or missing security patch to cause the whole organisation’s defenses to fall like a row of dominoes. Modern ransomware gangs are not unsophisticated “script-kiddies”, they are competent and well-funded hackers capable of capitalising on any mistake a victim makes, especially around monitoring and response to security alerts in the middle of the night.
This circumstance is especially unfortunate in the disruption of a large healthcare provider. Without an in-depth, we may not be able to attribute patient deaths or other adverse outcomes to the ransomware attack, but as organisational healthcare operations become more reliant on technology it’s sadly inevitable patient care will suffer in adverse ways from cyber-attacks.
The only way for organisations to protect themselves from these potentially catastrophic outcomes is to adopt a culture of security, starting with understanding and support from executive management. If there is no buy-in or budget provided from leadership, not even the most talented security engineers or best of breed products stand a chance against modern ransomware gangs. You must start with the assumption that the attackers will find a way to breach the network perimeter and gain internal network access. If your threat models and security testing don’t start with this assumption you don’t stand a chance of surviving an attack without significant monetary and operational cost. You need a holistic approach that starts with understanding and implementing information security best practices from personnel training to technical configurations. Just as important is regular penetration testing as well as 24/7 security monitoring and threat hunting capabilities to ensure that no security gaps exist and initial alerts of potential compromise are caught and shut down before significant damage occurs.
If Universal Health Services has been targeted by Ryuk ransomware, it is worth noting how this ransomware has crippled both the public and private sectors. It is known for targeting enterprise organizations with the intention of demanding higher payments for the decryption key. Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release. A commodity malware, Hermes has been observed for sale on forums and used by multiple threat actors. The ransomware will typically be dropped by an already compromised system that has been infected by Trickbot or Emotet through a phishing email. Once the Ryuk payload has been successfully dropped and executed, it will encrypt the system’s files and then demand a ransom fee in order to decrypt the victim’s data.
Many ransomware attacks today have evolved to double extortion. Usually, the attacker would exfiltrate a copy of the data before encrypting them. This way, the attacker not only prevents the victim from accessing their data, but also keeps a copy of the data for themselves. In order to claim responsibility and pressure the victim during the negotiation process, the attacker will often release small portions of the data online. If the negotiation turns out badly, the attacker then publishes all of the exfiltrated data or sells them to third parties. These attacks are essentially a combination of a ransomware attack and a data breach. Organizations that are victims of this attack feel extremely helpless when hit by double extortion attacks because their compromised databases likely contain proprietary or secretive information that they would instead have destroyed then published or sold. So, it\’s a double threat.
By releasing a small sample, it is easy for an attacker to imply they have your data, though very difficult to prove forensically because most organizations don’t have that layer of visibility. This puts on another pressure point, and if the impacted organization has implemented a Data Loss Prevention (DLP) solution, it can be easily validated that hackers have also downloaded the entire database. With that said, since this tactic is relatively new, there are no real data points for either the attacker or the defender that says it increases the payout potential of the victim.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics