FBI “ransomware warning” for healthcare is a warning for everyone!

You’ve probably heard or seen the news that the US CISA issued an alert this week with the unassuming identifier AA20-302A.
CISA is short for Cybersecurity and Infrastructure Security Agency, and the AA20-302A report was a joint alert from CISA, the FBI and the HHS (US Department of Health and Human Services).
Of course, you won’t have seen news headlines that used that codename.
Like sofware bugs, which might officially be denoted by a harmless sounding tag like CVE-2014-0160 but known in real life as Heartbleed, the text in the title of AA20-302A is much more worrying:

Ransomware Activity Targeting the Healthcare and Public Health Sector

The bulk of the report is well worth studying if you haven’t been keeping up with recent history of ransomware, because it describes a common malware attack combination in useful detail.
You can also bone up on how ransomware attacks commonly unfold these days by consulting these recent articles:

• Buer Loader “malware-as-a-service” joins Emotet for ransomware delivery
• REvil ransomware crew dangles $1,000,000 cybercrime carrot
• A real-life Maze ransomware attack – “If at first you don’t succeed…”
• Travel company CWT avoids ransomware derailment by paying $4.5m demand

Is this all about healthcare?

Yes. And no.
CISA’s warning was put out specifically because:

CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers. CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.

What’s vital to bear in mind, however, is that this report is not a sign that you are suddenly less likely to get hit if you are in any other industry sector.
It’s not an judgment on, or an indictment of, cybersecurity in the healthcare industry, and it definitely doesn’t imply that the rest of us are in fine cybersecurity shape simply because we’re in a different business.
Although it’s a warning that’s tailored for the healthcare sector, the report is nevertheless relevant to all of us, and we can all learn from it.
Sure, some of the items in the AA20-302A report are specific to healthcare, such as contact details for cybersecurity bodies in the healthcare sector, and specific advice about security “hardening” on medical devices, which operate under a special regulatory mechanism.
(Flashing your own firmware tweaks on your home router or your Android phone is one thing; altering the firmware on regulated equipment such as ventilators or anaesthetic monitors is quite another.)
But we think you should read the CISA’s report even if you aren’t in healthcare.
Wherever you see the word “healthcare”, imagine your own business sector written there instead, whether that’s retail, hospitality, marketing, civil engineering, legal services, financial advice, real estate, aerospace…
…heck, read the report even (perhaps especially!) if your own industry sector is IT or cybersecurity itself.

What to remember

Ransomware attacks in their modern form – where your files get scrambled and the crooks blackmail you to pay a “fee” for the decryption key, of which they have the one and only copy – have evolved dramatically in recent years.
At first, starting in about 2013, ransomware criminals did massive spam runs that aimed to infect thousands or tens of thousands of people at a time and to demand an affordable yet painful sum from every individual victim, typically $300 to $2000.
By about 2017, the ransomware game began to shift to human-led attacks where the criminals would attack hundreds or thousands of computers at a time, all belonging to the same company.
This meant the crooks only needed to negotiate with one victim at a time (or a handful at most), but had much more leverage, assuming that many or all of the victim’s computers – typically including their servers – were at a simultaneous standstill.
Ransom demands quickly rocketed up to five digits, with the infamous SamSam ransomware gang apparently picking $50,000, or just below it, as a sweet spot.
We don’t know why they chose $50,000 – perhaps they thought that many IT departments would be able to pay up that sort of money without consulting the board or going through a complex approval process.
Those five-figure demands didn’t last long, however, with today’s ransomware crews commonly demanding sums as high as eight digits. (Yes, you read that correctly.)
In a recent attack on travel company CWT, for example, the company was blackmailed for $10,000,000, though it ended up negotiating the amount down to $4,500,000.

Double whammy

One reason the crooks are making such outrageous demands these days is that they aren’t just scrambling files and leaving you stuck if you have no backups.
(By the way, the crooks go out of their way to find any online backups you’ve got so they can obliterate them before they launch the ransomware encryption process, thus making self-recovery harder.)
Sadly, the criminals are now taking the time to riffle through your files first, locating your so-called trophy data – business plans, financial accounts, internal emails, personal information about customers and employees, data covered by regulations such as GDPR, HIPAA and so on; anything that could damage your business deeply if it were to leak out.
The attackers then steal your data before scrambling it, and threaten to reveal it to the world – to your customers, your shareholders, the media, your competitors, the relevant regulators – if you don’t pay.
Double whammy.
The crooks are not only extorting you to get your business moving again in the short term, but also blackmailing you to save yourself from potential data breach doom in the long run.

What to do?

Don’t take this latest FBI warning as an indication that things have cooled off for everyone else, just because the heat has been turned up for the healthcare sector.
Ransomware is very often just the end of an lengthy attack chain, and the criminals who unleash it may have spent days or weeks in your network first.
During this period they will very likely spend time:

1. Mapping out your network so they can attack as much of it as possible.
2. Finding your trophy data and stealing it.
3. Making themselves into sysadmins so they have as much power as your own IT department.
4. Creating new accounts as backdoors to get back in tomorrow if they get kicked out today.
5. Installing “grey hat” penetration testing tools that they use for attack, not for defence.
6. Turning off key components of your own security software
7. Carrying out small “dry runs” with various malware samples to test attack techniques.
8. Wiping your online backups.
9. Scrambling all your computers at the worst time of day for you.

So here is our advice on what to look for and how to prepare:

• Sophos Rapid Response for healthcare and the public health sector
• The realities of ransomware – five signs you’re about to be attacked
• The realities of ransomware – why it’s not just a passing fad
• How to stay protected from ransomware
• Sophos Managed Threat Response: how it works

Never put off until tomorrow those curious malware reports you could investigate today!