Just four months into 2016, the healthcare industry is already facing a permanent and increasing threat to hospital operations: ransomware. Previously, BakerHostetler reported that Hollywood Presbyterian Hospital paid 40 bitcoins to access its own electronic health records after its information systems were locked with ransomware. Since then, at least five other healthcare entities have been infected with ransomware.
According to the March 31, 2016, United States Computer Emergency Readiness Team (US-CERT) Ransomware and Recent Variants Alert, ransomware variants “Locky” and “Samas” are the culprits for recent healthcare incidents (Samas/Samsam/MSIL.B/C). Locky has infected computers in healthcare facilities and hospitals in the United States, New Zealand, and Germany. It is acquired through spam emails that have malicious Microsoft Office documents or compressed files attached (.rar, .zip). Samas is acquired through vulnerable webservers.
Although many types of ransomware can be traced to human error and lack of training, such as downloading or installing malicious files, the Samas ransomware targets a specific vulnerability in a type of business software known as JBOSS, and bypasses any human action. Samas, as detailed by Cisco Talos, exploits the software vulnerability in JBOSS using open source codes, such as the JexBoss testing and exploitation framework for JBOSS, to gain access and then spread the ransomware within the network. Cisco Talos has already seen that the ransomware attackers are testing the amount of money they can collect from affected entities. Cisco Talos has also released SNORT rules and ClamAV signatures to help entities detect Samas.
In addition to Cisco’s research team, Microsoft’s Malware Protection Center is also following the Samas ransomware infections and chronicling the changes and patterns of the attack. The guidance from the government and companies working in the cybersecurity space underscores the importance of making sure software is up-to-date and networks are protected.
US-CERT’s recent alert also provides the following preventive measures for individuals and organizations:
- Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
- Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.
- Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
- Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing.
- Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
- Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources.
- Do not follow unsolicited Web links in emails. Refer to the US-CERT Security Tip on Avoiding Social Engineering and Phishing Attacks for more information.