Gone Phishin’: A fake account of real events – Understanding the Risk of Ransomware

by Sarah Harvey / May 3rd, 2016

Just an ordinary day in the IT Department

Molly walked in to the IT department at the regional hospital where she’s worked for the last four years. Some mornings are more hectic than others. She could tell it was going to be “one of those days” as the help desk buzzed with activity – users locked out, systems down, Internet outages – but today, these conversations seemed a bit more urgent that usual.

“Molly, come here,” said the IT Director before she could even open her laptop bag at her cubicle. Jerry was a good leader of the IT department. He was the one always appealing to management for the resources they needed for the never-ending expectations on system performance in the hospital. “We’re dealing with something major today. Our EMR system has lost access to the database. Everybody is calling in about it. Gary and Margaret are troubleshooting now, but I need you to get the backups ready,” Jerry instructed as he was heading out to give an update to the management team.

Attack of the Ransomware

Michael had delivered a well-placed phishing email to someone in accounts payable at the regional hospital the day before. Disguised as an invoice, the attachment contained malware. This type is known as ransomware, meant to encrypt files, rendering them inaccessible until the hospital pays a fee for the decryption key. Overnight, the infected computer became the launching point for Michael’s plot to search out the hospital’s network for critical files. The more pervasive the impact, the more likely Michael can collect the ransom.

Three years ago, Michael became part of an organization that regularly orchestrates this type of attack. Back then, they used CryptoLocker and generated millions of dollars in payments. That paled in comparison to what they did with CryptoWall, which netted hundreds of millions of dollars, mostly from U.S. companies. Now, he mostly uses Locky ransomware to stay ahead of anti-virus detection. The group that pays Michael very handsomely has grown tenfold and has lately turned their focus to hospitals. “They have money,” Michael’s handler had said, “and their technology is weak.”

Trouble with the Backups? Let’s not lose our composure…

It had just become apparent to Molly that something was wrong with the backup on the SAN when Gary shared the news.

“The database has been encrypted,” he stated in a defeated tone. “There’s a message on the server demanding that we pay in bitcoin in order to get our files back.”

Molly’s instincts immediately told her this was the reason she was having trouble with the backup files. Through their collaboration, they discovered that the Locky ransomware had found and encrypted the network-accessible backup storage location.

While discussing whether or not they had complete backups in an offsite location, Jerry was ready for an update. After a full debrief, Jerry knew that their options were dwindling. The hospital had upgraded to an expensive SAN last year to provide a networked storage option for the terabytes of data needed by the EMR system. Restoring that volume of data from their offsite media would take days. Although no one said it, everyone knew that they had not performed a full restore test in a long time due to being overworked in the IT department. Margaret volunteered Steve from the help desk to assist in containing the infection. Identifying and disconnecting the affected system would take some time.

Gone Phishing

Michael usually has dozens of targets on the line simultaneously. He uses a variety of delivery mechanisms for the ransomware. Sometimes it’s a phishing email but often it’s an infected website or a poisoned online advertisement. He enjoys the variety to keep the victims’ defenses off-balance. The splash page that he deploys on the infected system gives them a countdown clock to show them that they have 15 days to pay up. If they pay during the first 3 days, the fee is around $500, but every few days the ransom increases. It’s designed to put more pressure on the hospital to consider the cost in time and IT resources versus simply paying for a quick resolution. He recently was successful in his demand for $17,000 worth of bitcoin, where he had crippled a hospital’s operation. The proliferation of bitcoin has enabled their criminal network to anonymize the payment channel and avoid detection. He chuckles every time a target pays and he collects his share. The media says not many pay the ransom, but he knows better because in most cases, they are never publicly identified as victims. They don’t want the attention, so they pay the ransom to make the crisis go away.

Practice Makes Perfect. Initiate Incident Response Plan.

Jerry activated the Incident Response Plan. Never had they known so much about their backup software, disaster recovery procedures, and system redundancy. Everyone in the department couldn’t help but think they should have practiced these steps before today. Most stayed as late as they could the night before, working through the recovery plan. Some stayed all night. The countdown from the ransomware screen taunted them. Once the infected systems had been isolated, some members of the incident response team were tasked with determining what other systems had potential access to the affected hosts. This was an inventory job like no other. Others performed research to determine if this particular strain could be decrypted by any third-party utilities. No luck. Someone in finance researched how to set up a bitcoin wallet, just in case, and was ready to purchase the amount necessary from the localbitcoins.com broker site.

Jerry then advised management that they were down to two options…spend days restoring all critical systems to normal operation or pay the ransom. That decision was above his pay grade. But as his team was deciding to wipe and rebuild the affected machines, rather than try to remove the malware, Jerry was determined more than ever to get the time and funding allotted to his department for hardening the systems according to the NIST standards that he had previously recommended. Security awareness would also be one of his next steps, too. He had seen a Tripwire survey that said the #1 step to prevent ransomware attacks is for users to not click suspicious links. He knows that the hospital could be doing a lot more to educate employees about this threat.

Molly asked Jerry what would happen next. Would public relations go to the media? Would this incident qualify as a data breach and be reported to the regulators? Jerry just shrugged and said, “It’s in the lawyers’ hands now”.

More Resources

What is the Difference Between Phishing and Spear-Phishing?

Why is Ransomware Successful?

Security Awareness Training Tools You Need