Ransomware – Is the NHS the next target? – Julia McCarron
News and information from the Advent IM team.
News and information from the Advent IM team.
It is always a treat to get a blog post from Advent IM Director, Julia McCarron and this time Julia has turned her eye to the spate of Ransomware attacks on US hospitals to ask how resilient the NHS is, should it face a similar level of attack.
When I hear the word ransom it conjures 2 things to mind:
1. A ruggedly handsome Mel Gibson as the millionaire Tom Mullen faced with a $2m ransom for his kidnapped son who finds his own way of beating the criminals – good film.
2. Distraught parents, business owners, individuals on the verge of losing everything if they don’t pay out extortionate payments to reclaim their loved ones or what is rightfully theirs.
Unfortunately, the latter is now becoming less of a physical, tangible act and more the art of the possible in Cyberville, with the ever growing threat that is called ‘ransomware’.
So what is ransomware? At its basic it’s “a type of malicious software designed to block access to a computer system until a sum of money is paid” … data kidnapping as it is sometimes described. The word may be longer than its origin but its ‘raison d’etre’ the same. What started off as seizing an individual’s computer and generating maybe £100 a pop to release it, is turning into a far more sinister and business orientated infection.
The ‘art’ if you can call it that of taking something that doesn’t belong to you and selling it back to its owner is as old as the hills. But our increasingly technological and connected world is opening up new possibilities to exploit it. A study by ESET found that over a third of UK companies had either personally been held to ransom by hackers or knew someone that had their network infected by ransomware. And now our critical national infrastructure could be at risk.
All trends seem to be leaning towards attacks on more public facing entities – Ashley Madison being an example. Moreover though, ransomware attackers have recently been focusing their efforts on critical networks containing vulnerable and sensitive information in three specific industries: energy, healthcare and education, specifically universities.
In the first quarter of 2016 alone, 4 US based hospitals fell victim to ransomware extortion:
• Hollywood Presbyterian Medical Centre.
• Kentucky Methodist Hospital.
• Chino Valley Medical Centre, California.
• Desert Valley Hospital, California.
All attacks presented themselves as phishing emails in the first instance and caused significant disruption as systems were shut down and in some cases paper systems resorted to in order to maintain patient care. The first of these hospitals did in fact pay a reported £12,000 to have its systems released. The latter 3 are not believed to have paid any ransom.
So, this begs the question is our own NHS at risk?
Well the short answer is yes it is. The NHS is notorious for its data security incidents, being the UK sector with by far the largest reported security incidents according to the Information Commissioner’s Office (ICO). Latest statistics show 184 incidents in Q4 of 2015/16 alone representing 41% of all sector incidents reported that quarter. These are worrying figures when you consider that the health sector handles some of the most sensitive personal data there is. Granted many incidents are down to poor data handling and failure to follow or implement procedure rather than external factors such as hacking or ransomware via phishing, but it demonstrates a trend of bad data management that could be exploited for ransomware attacks like the ones we have seen in the US, and could lead to the death of a patient at its extreme.
In 2015 the ICO slated the NHS for its data breach policies citing poor procedures and insufficient training. However, the Health and Social Care Information Centre (HSCIC) does advocate certain best practice information security virtues through compliance with the Information Governance Toolkit, based on elements of ISO27001, the internationally recognised standard for Information Security Management Systems. In addition, HSCIC was also involved in establishing the Computer Emergency Response Team (CERT) for the NHS known as CareCERT, which is designed to provide security guidance on and support with response to security threats. These actions can only help protect our NHS. One thing that works in the NHS’s favour, if you can really call it a favour, and what might explain why ransomware has yet to target a UK hospital is the disparate nature of IT systems and security practices operated in the UK health sector. This makes it harder to repeat the same attack at multiple NHS locations because processes, awareness and technology will vary. But this does not make us immune. And the ‘winnings’ can be huge if the data or system being kidnapped is sensitive enough.
In 2014 the FBI estimated that extortionists behind the Cryptolocker strain of ransomware swindled $27 million in just 6 months from people whose data they took hostage. And what started off as software that just locked computers on startup is turning into a much more sophisticated threat capable of encrypting data, not just on individual computers but on core servers. Some can even attack backup repositories. Attacks typically arrive via what is known as spray and pray phishing campaigns that basically target as many individuals as possible in the hope that someone will click on a link and infect their PC or network. But sometimes attacks are direct hacks on systems that install the software thus gaining control over central servers.
Although ransomware accounts for 21% of global malware files (second to the US with 62% according to Bitefender) it still isn’t the most common form of malware … but it is on the rise. Month by month incidents are increasing. In the last week alone the Zepto malware, based on the as yet unbroken ransomware Locky, has been carried in nearly 140,000 spam messages sent over four days. So what can we do to guard against this form of data hostage?
• Staff awareness training on the dangers of phishing emails and the damage they can cause is vital to minimising the risk of such attacks. Simulate phishing attacks to identify particular areas of weakness within the organisation.
• Taking backups is key. This will ensure system availability can be restored. However, backups must be stored in a secure off-site locations, not connected to the network. It sounds an obvious thing to say but it’s not always the obvious thing that’s done.
• Whitelist machines to prevent ransomware installing on them. This can cause organisational challenges particularly with more senior staff who are prevented from running certain applications.
• Consider configuring email servers to block zip files that could be malicious. Again this can be contentious where there is a business need to use zip files.
• Restrict network permissions ensuring access to sensitive information is based on ‘need to know’ and not a carte blanche ‘access by all’ strategy.
• Defence in depth – ensure you have multiple layers of security on your network that can detect and prevent deep infiltration.
If you are unlucky enough to be the victim of a ransomware attack advice would be to:
• Disconnect infected systems from the network, disable Wifi and Bluetooth to prevent spreading.
• Remove USBs or external hard drives.
• Report the incident to your Line Manager or nominated person as stated in your organisation’s Incident Management Policy (and if you don’t have one, develop one and communicate it to your staff now!).
If we are to stem the growth of ransomware infections in the UK and protect our critical national infrastructure and sensitive data we must implement and manage best practice information security controls and ensure our staff know what to look for and remain vigilant.
If Liam Neeson had been a Chief Information Officer and the victim of data kidnapping in the film Taken, I wonder whether the words of wisdom he may have imparted on his attackers would have been something like this:
“I don’t know who you are. I don’t know what you want. If you are looking for ransom I can tell you I don’t have money, but what I do have are a very particular set of skills. Skills I have acquired over a very long career. Skills that make me a nightmare for people like you. If you let my data go now that’ll be the end of it. I will not look for you, I will not pursue you, but if you don’t, I will look for you, I will find you and I will kill-screen you.”
Actions speak louder than words. Act now.