Read Time: 3 Minutes
Hollywood Presbyterian Medical Center gave in.
Last week, the California hospital decided that it had to pay 40 bitcoins — about $17,000 USD — in order to get some relief from the ransomware attack that had locked down its network since February 5.
Now, for the first time, the American media began to pay attention to ransomware, a phenomenon F-Secure Labs has been writing about for more than half a decade.
Health care institutions and any business that stores sensitive client data are especially vulnerable to these sorts of attacks, as F-Secure Security Advisor Sean Sullivan explained to the IBTimes UK:
“Hospitals are considered to be critical infrastructure but don’t have the same reporting requirements as power plants, for example. Now that some hospitals have made the news, others are being more transparent in order to avoid future trouble regarding failure to disclose. That said, many hospitals are easy targets. I used to work for a university hospital with more than 20 thousand nodes on its network. There was a profit side, and an academic side. For tax reasons, the back-end systems needed to be separate. For doctor/patient reasons, all the data needed to be available client-side regardless of the clinics back-end. The hospital had merged and acquired lots of other medical groups over the years. In short, it was an extremely complex network. And as such, even as well run as it was, there were plenty of gaps.”
Ransomware is a model that criminals know works and the attacks keep coming.
This week Locky was first detected and in just a few days it has already infected more than a half million PCs around the world.
F-Secure Labs Andy Patel described the threat on the News from the Labs blog:
“So far, Locky’s most common infection vector has been via e-mail. A word document attachment is sent out claiming to be an invoice. When opened, the document appears scrambled and prompts the recipient to enable macros in order to view, and if they do so, an executable (ladybi.exe) gets dropped and starts encrypting data files using 128-bit AES encryption.”
The nightmare of having your all your Microsoft Office files is so overwhelming that many businesses have gone the same route as Hollywood Presbyterian Medical Center.
“The deployment of Locky was a masterpiece of criminality — the infrastructure is highly developed, it was tested in the wild on a small scale on Monday (ransomware beta testing, basically), and the ransomware is translated into many languages,”Kevin Beaumont wrote. “In short, this was well planned.”
The trend of malware-as-a-service, with criminal developers behaving with the business acumen of pro-software companies, is not new
F-Secure Chief Research Officer Mikko Hyppönen has said:
“For quite a while, online criminals have been moving to service models. We’ve seen it with DDoS attacks as a service, banking trojans as a service, and ransom trojans as a service among others.”
Macro attacks — however — have been one of the biggest cyber security surprises of the last year. They had mostly disappeared since the 1990 and their reemergence is leaving many businesses vulnerable.
Even networks fully patched software and updated security systems have found themselves victimized because their users are allowed to run macros and their application whitelisting isn’t properly configured.
F-Secure users, however, benefit from an extra layer of protection, as Andy Patel wrote:
“If you’re running our software, DeepGuard, our behavioral detection engine, has been preventing both the attack vectors used by Locky and the behavior of the malware itself. These detections have been around for quite some time already. Following our tried-and-tested prevention strategy, DeepGuard notices malicious behavior, such as Office documents downloading content, dropping files, or running code. DeepGuard stops the mechanisms that allow these sorts of threats to infect your machine right at the source.”
[Image by fdecomite | Flickr]