It’s been a busy year for Hackers

We are ¾ of the way through 2019. 

Nine months in, ransomware attacks have skyrocketed with attacks on at least 621 US government agencies, healthcare providers and schools. 

In the private sector, business detections of ransomware rose 365% from Q2 2018 to Q2 2019.

The Industries That Have Seen the Greatest Impact

Government

• The attack on Baltimore left the city’s systems offline for over 3 weeks. By refusing to pay the ransom of $76,000, the city was forced to rebuild its digital systems. This left the city with a hefty $18.2 million estimate. Property transactions, tax, and water billing were all disrupted.
• A trio Florida Cities paid over $1.2 million collectively after ransomware hit Key Biscayne, Lake City, and Riviera Beach in June. In this instance, the governments affected all agreed to pay the ransomware. In the months since the attacks, US mayors have all agreed to not pay ransoms.
• This April, information boards and email were encrypted in an attack on Cleveland/John Hopkins Airport. Both the airport and the Mayor’s office were initially slow to give any details. The city claims to have managed the damage internally with conflicting reports that the FBI was involved. 

Healthcare Providers

• On October 1st, 2019, DCH Regional Medical Center, Fayette Medical Center and Northport Medical Center were all infected with RYUK ransomware. The hospitals are all a part of the DCH Health System. All affected hospitals were reduced to using pen and paper records and were rerouting incoming ambulances and patients to other nearby hospitals for 10 days.
• PerCSoft, a cloud provider for dental offices, was hit with a ransomware attack that encrypted the patient information for 400 dentists’ offices.

Education

• Similar to the DCH Health System attack, the Rockville Center School District in Long Island, NY was infected with RYUK Ransomware this August. The school district paid close to $100k to have their information decrypted.
• Flagstaff United School District closed for two days following a ransomware attack in September. No details were released on the recovery from the incident.
• In July, Monroe College based in New York City fell victim to an unknown strain of ransomware. The hackers later requested $2 million dollars to decrypt the infected hardware.

Hackers target MSPs

Hackers have also begun targeting managed service providers and IT firms. By doing this, they not only cripple the IT firm but also disable the provider’s clients. This is the case as evidenced by the PerCSoft attack above.

Email and Remote Desktop Protocol are Primary Vulnerabilities

It is well established that email is the most common vulnerability but any feature that adds access to internal systems is a potential vulnerability. Ransomware like SamSam, CryptON and CrySIS have all been spread through RDP attacks. Hackers can easily find and target organizations by scanning for open RDP connections. 

Statistics

• By the end of 2019, ransomware will claim a new victim every 14 seconds.
• Ransomware is expected to top $11.5 billion this year.
• There were 204m ransomware attacks in 2018.
• In 2018, there were 222 new families of ransomware created.
• Ransomware induced downtime costs an average of $8,500 an hour.

Other Articles You Might Be Interested In:

Alabama Hospital System crippled by RYUK Ransomware

Three Alabama hospitals are turning away “all but the most-critical new patients,” in response to a ransomware attack according to BBC.

DCH Regional Medical Center, Fayette Medical Center and Northport Medical Center were all affected by the attack. The hospitals are all a part of the DCH Health System, which became infected with RYUK ransomware on Oct. 1st.

It is unclear as of today, the scope of the hospital’s affected systems. The hospital did say that as of October 5th, they had “obtained a decryption key from the attacker” and were beginning to test and restore a limited number of systems. This likely means the hospital system agreed to pay the ransom. The ransom amount was not stated.

“We will continue to divert any new admissions, other than those that are critical, to other facilities,” said DCH.

According to the statement, ambulances are being redirected away from the affected hospitals. Doctors are “using paper copies in place of digital records”.  

This comes on the heels of at least 621 reported ransomware attacks on government agencies, healthcare, and schools in the last nine months. 

A ransomware attack is considered a security incident under HIPAA. 

What Is Ryuk?

Ryuk is a ransomware strain discovered in August of 2018. After initial infection, Ryuk can go days or months without being detected. It then enables a threat actor to attack an organization’s critical systems.

Other Articles You Might Be Interested In:

Ransomware attacks Dentists Offices

An online data backup service called DDS Safe that archives medical records, charts, insurance documents, and other personal information for dentist offices were attacked with an extremely advanced and fairly recent strain known variously as REvil and Sodinokibi. 

DDS Safe is offered by Digital Dental Record who uses a cloud management provider called PerCSoft. PerCSoft was hit with the ransomware strain on Monday, Aug. 26th and encrypted the patient information for 400 dental offices. 

At this time, roughly 80-100 of the offices have had their information restored after PerCSoft paid an undisclosed amount for the decryption key. 

Threats against Healthcare

While government agencies seem to be facing the brunt of ransomware attacks, healthcare is facing roughly 30% of all attacks. According to the HHS, “The presence of ransomware (or any malware) is a security incident under HIPAA that may also result in an impermissible disclosure of PHI in violation of the Privacy Rule, and a breach, depending on the facts and circumstances of the attack.”

Layering both Security+ and Compliance+ by ITonDemand helps to mitigate the risk of a ransomware attack. 

How can I protect my practice/business against ransomware?

• Data Backups are a Necessity: It’s important to maintain both cloud and offline backups of PHI or sensitive information. In the event one becomes inaccessible, the other can be restored with minimal downtime. 
• Systems Inventory: Have an IT systems audit performed where and systems that are outdated or no longer secure can be isolated.
• Continous Security Education: Perform security awareness training regularly and keep security awareness programs up to date.
• Patch Cycle Program: Use a patch management program where patching is performed at least every 30 days including third-party applications.
• Perform application whitelisting: Application whitelisting ensures systems run authorized applications.
• Endpoint detection and response (EDR): Baseline systems and keep an eye out for any new or rogue processes.
• Secure email gateway: Deploy a secure email gateway solution that removes malicious emails from users’ mailboxes.

Other Articles You Might Be Interested In:

Ransomware hits 23 local Texas governments.

On August 16, the state of Texas reported that 23 local governments had been hit with a ransomware attack. The Texas Department of Information Resources stated in their report that the attacks were performed by a single threat actor. 

The affected government systems remain offline three days later. 

These attacks are growing more common.

Hackers have been increasingly targeting state and local governments with ransomware and having great success doing so. A trio of Florida cities were affected by ransomware in June. Those attacks cost upwards of $1.1 million. The city of Baltimore refused to pay a May ransomware attack and the estimate to rebuild the city’s systems is upwards of $18 million.

As of July 2019, ransomware attacks have hit at least 170 county, city, or state government systems in the United States since 2013. Moreover, 22 of those attacks occurred in the first half of 2019, according to The U.S. Conference of Mayors.

“Threat Education is a more critical component of cybersecurity than most are willing to recognize,” said Steve Condit, Director of Partner Development at ITonDemand. “Every staff member is a potential vulnerability. Proper cybersecurity training is a necessity for all organizations in 2019.”

What are some security best practices? 

• It is everyone’s responsibility to remain cyber aware and practice information safety.
• Do not open suspicious or unexpected links or attachments in emails.
• Hover over hyperlinks in emails to verify they are going to the anticipated site.
• Be aware of malicious actors attempting to impersonate legitimate staff, and check the email sender name against the sender’s email address.
• Use unique strong passwords or pass-phrases for all accounts.
• Do not provide personal or organizational information unless you are certain of the requestor’s authority, identity, and legitimacy.
• Alert ITonDemand HelpDesk if you have any concerns about the legitimacy of any email, attachment, or link.

Other Articles You Might Be Interested In: