Ransomware and Digital Extortion Prevention and Recovery

Presented By: CS-FO Thomas Gilchrist, FBI-Oklahoma City

On Behalf Of: Explore Healthcare Summit 2019

My Bio

• 2007: Intern at FBI-Birmingham

• 2008: SSC/SST/OST at FBI-Birmingham

• 2009: B.S. in Criminal Justice at UAB

• 2013: M.S. in CIS at UAB

• 2015: CS-FO at FBI-OKC

• 2018: Adjunct Faculty at UCO

Today’s Objectives

• Overview of Ransomware/Digital Extortion and the Threat to Healthcare Industry

• Case Studies of Healthcare Ransomware Attacks

• Ransomware Tips/Strategies for Prevention, Mitigation Preparation and Recovery

• Law Enforcement Involvement Considerations

• Overview of Other Cyber Attacks

– Denial-of-Service, Data Theft, Business Email Compromise, Malvertising, Cryptojacking

• Q and A

Ransomware and Digital Extortion

• Digital Extortion is the act of coercing an individual or company to pay to access stolen or hidden cyber assets – Ransomware is the most common weapon for achieving this

– 2016 was the “Year of Ransomware”

Two Types of Ransomware

• #1: Locker – “Locks down” a digital device

– Blocks the user’s ability to access anything on the system until the ransom is paid

– Files remain intact (just not accessible)

– Common requested payment is prepaid cards and vouchers

– Most commonly targets mobile devices

• #2: Crypto – Weaponizes encryption

– Searches through files on a system targeting specific file extensions

– Encrypts targeted files and drops a ransom note for payment in exchange for the private key (required for decryption)

– Common payment is cryptocurrency (Bitcoin)

Locker Ransomware

Crypto Ransomware

Ransom Note

Encrypted Files

Targeted File Extensions

Ransom Notes

Text File

HTML Splash Page

Healthcare is Under Attack

• Some 2019 Statistics: – 89% of healthcare organizations have experienced a data breach in

the past 2 years

– 50% of healthcare organizations have experienced a ransomware incident within 1 year

– Average losses for ransomware on a business is $133,000

– Estimated losses for healthcare industry in 2019 is $25 billion

• Reasons Healthcare Targeted: – Significant amount of PII in data

– Downtime of systems means downtime in patient care

– Its profitable!

Case Study #1: Hollywood Presbyterian

• 2016 – First well-documented attack on healthcare

• Hollywood Presbyterian Medical Center – Los Angeles, CA

• Targeted by Locky ransomware – Delivered through VBA Macro embedded Word Doc

• 10 Days of Downtime – Systems for lab work, pharmaceutical orders, and emergency room

inaccessible

• Paid $17,000 Bitcoin ransom

Case Study #2: MedStar Health

• 2016 – First multi-site attack

• Affected 10 hospitals and more than 250 outpatient centers – Baltimore/DC Area

• Targeted by SamSam ransomware – Delivered via Web App security vulnerability (a patch existed)

• Mass confusion caused by multi-site compromise

• Paid $19,000 Bitcoin ransom

• Two Iranian hackers indicted in 2018 by DOJ – Made roughly $6 million and caused $30 million in damages

Case Study #3: To Pay or Not to Pay

• 2016 – Kansas Heart Hospital – Wichita, KS

• Paid initial ransom – Partial file access

– Second ransom demand

• 2016 – Christopher Rural Health – Christopher, IL

• Did not pay ransom – Restored from backups!

• The FBI DOES NOT support ransom payment – Cyber Division Assistant Director James Trainor

• Reasons: – Access to files is not a guarantee (see Kansas Heart)

– Payment can fund other criminal enterprises

– Payment sets bad precedent and emboldens criminals

2019 Attacks Continue…

• While ransomware attacks are on the decline for most industries this is not the case for healthcare – Due to the success rate of these organizations paying ransoms quickly to

regain access to important data and a lack of preparedness

• NEO Urology – Paid $75,000 ransom

– Suffered 3 days of downtime

• Estes Park Health – Insurance paid the ransom…TWICE

– Paid $10,000 deductible on ransom payment

• Olean Medical Group

• Seneca Nation Health System

• Shingle Springs Health and Wellness Center

• Boston Residex Software

Ransomware Prevention

• Prevention of ransomware is associated with understanding common delivery mechanisms and “plugging those holes” – Prevent the malware from getting on your systems in the first place!

• Common Initial Attack Vectors – Phishing/Email Attachments

– Social Engineering

– Vulnerability Exploit Kits

– Hacking

• Let’s discuss some techniques to prevent each of these…

Phishing/Social Engineering

• Continual education of employees against phishing attacks and social engineering is critical

• Train employees to never open email attachments with certain suspicious file extensions: exe, vbs, js, ps

• Turn off JavaScript execution in Adobe Reader for PDFs

• Turn off Flash player execution in Browsers

• Be VERY cautious of Microsoft Office VBA Macros – Often code that reaches

out to malicious server to download and execute malware

More Email Tips

• Train employees to be cautious with links – Shortened links are suspicious;

sites exist to expand out shortened links without visiting them (checkshorturl.com)

– Be aware a link can say it will send you one place and redirect you to a malicious site to download malware

– Be aware legitimate sites can host ads that direct to malware • See Malvertising later…

• Train employees to be cautious with unknown storage media – USBs exist that pose as a “virtual keyboard” entering commands into

a system when plugged in; they execute commands on the system with no user interaction!

Hacking

• Hacking just means gaining unauthorized access to network – Its not always that sophisticated!

• If the criminal can gain access to the network, they no longer need an employee to execute the malware…they can just do it themselves

Hacking/Vulnerabilities Tips

• There are many ways to prevent unauthorized access – Block remote access unless absolutely necessary

– Severely limit users that can remote access

– Whitelist specific devices allowed remote access

– Enforce strong passwords and Two Factor Authentication

– Enable logging of proxies and VPN concentrators

– Keep systems patched for security risks

– Run automatic vulnerability scans for security risks • Nessus

– Hire pen testers to test the network and your security team • White Hat Hackers

• Be wary of vulnerability scanners posing as pen testers!

Ransomware Preparedness

• Preparedness for ransomware is the process of putting protections in place to mitigate the damage of a ransomware attack BEFORE it occurs

• #1 Key is BACKUPS! – BACKUP all operations critical data

– Backups should be AIR-GAPPED • Store OFFLINE and OFFSITE

• Anti-Ransomware Software – Antivirus vendors are offering Anti-ransomware software

– Detects sudden mass changes to files and stops it from continuing

– Companies like Malwarebytes are still Beta testing

Ransomware Preparedness Cont.

• Engineer Network Architecture with Security Precautions – Utilize host and network security appliances like firewalls and

intrusion detection/prevention systems • Configure with default deny rules and event alerts instead of silent logs

– Segment network with VLANs to prevent lateral movement

– Use Virtual Machine environments • Snapshot to have restore points

– Use Honeypots and Decoy Systems

– Utilize a constant Network Security Monitoring team • Requires human inspection not just IDS/IPS auto alerting

Incident Response and Recovery

• Fully Develop Incident Response Plan – Fully scope your security landscape

• Includes all sites and third parties with access like contractors/vendors

– Fully identify job duties and roles

• Typical plan: – Isolate infected systems from network

– Identify the malware by researching encrypted file extensions • Some ransomware strands have known decryptors online!

– Collect Evidence for/report to law enforcement • Image compromised systems, memory captures of live compromised systems,

security log files, malicious executables, phishing emails with headers

– Restore systems via backups

– Fix security flaw to prevent similar compromise

Law Enforcement Considerations

• Things the FBI will not do: – Help restore your data

– Determine who you should notify

• Things the FBI will do: – Collect evidence

for investigation

– Indict the parties involved

Denial-of-Service

• A denial-of-service (DoS) attack has one goal: Make a networked service or resource unavailable

• DoS is the older cousin of ransomware

• There are two main methods: – Distributed DoS (DDoS) flood

bandwidth with junk traffic

– Exploit bug/weakness in application to cause it to freeze/crash

DoS Prevention and Recovery

• There are several vendors of DDoS protection services – Such as Imperva Incapsula, Akamai, and Cloudflare

• There are things your organization can do to mitigate attacks – Engineer the architecture to have real-time scalable bandwidth and

design failsafes for system crashes

– Use black hole routing to route malicious traffic to another destination to be dropped

– Keep services and applications patched for known flaws

– Configure firewalls and IDS/IPS to use rate limiting and traffic filtering

– Use load balancing for important services

– Use a CAPTCHA to prevent bot access to a resource

Data Theft

• When a network is compromised, data theft is a real possibility – Target Personally Identifying Information (PII) or trade secrets

• Possible for data theft to occur prior to a ransomware attack

Data Theft Protections

• The key to protecting data is to identify data to be protected! – Knowledge is power…must KNOW what is sensitive in your network

• Design your network in mind to protect sensitive data – Segment it away from publicly accessible network segments

behind security appliances

– Restrict access with strong authentication

– Store with encryption

– Monitor access with logs and/or traffic captures/live monitoring

• Most important means of protection is education of social engineering attacks!

Business Email Compromise

• BEC refers to a group of attacks designed to trick businesses and/or their customers/vendors into redirecting payments to a criminal third party – Sometimes compromise legitimate business email accounts

– Sometimes spoof (pretend to be) legitimate business email accounts

– Sometimes use misspellings of business email accounts

• Healthcare email fraud attacks have increased 473% in the past 2 years

BEC Prevention

• Educate employees that make financial transfers – Implement a Two-Step Verification protocol in which all financial funds

transfers and modifications are approved by a second party preferably via phone

• Protect your email accounts from unauthorized access – Avoid using free email account services like Gmail or Yahoo

– Implement a Two-Factor Authentication solution

– Monitor email forwarding rules

• Protect from spoofed email – Utilize DMARC/DKIM to protect your domain from being spoofed

– Utilize email spam filters

• Protect from “similar sounding” domains – Consider buying rights to common domain misspellings

Malvertising/Cryptojacking

• Malvertising is a technique of using ad banners and pop ups to download and execute malware onto a victim system – Some require user to click ad and others are “drive by downloads”

– Another delivery mechanism for ransomware too!

– Best security is Pop Up/Ad Blockers with AV or Browser settings

• Cryptojacking is a means of forcing a user’s system to mine cryptocurrency when visiting a web site – A legitimate web server is compromised to host JavaScript file that

embeds in a footer on the site’s pages; executed when viewed

– The new malware threat of 2018-2019

– Best security is minimizing user accounts that can edit site content and using good authentication of those accounts

– Also look for suspicious JavaScript files and references to “Coinhive”

Contact Info and Q&A

CS-FO Thomas Gilchrist

tgilchrist@fbi.gov or thomas.gilchrist@ic.fbi.gov

405-290-3745

Main Office OKC-FBI

Ask to speak to the Duty Agent or an available Cyber Agent

405-290-7770

IC3.gov