Connect with us

Health Care

From Ransomware to RansomOps: What You Need to Know About the Newest Threat




You might not be aware, but ransomware no longer is operating as it always has. Sometimes it’s not the usual automated sweeps of malware that can be more easily recognized and stopped.

Instead, there now are targeted, human-driven operations where cyber criminals function in a similar way to legitimate software-as-a-service companies. These groups are sophisticated, methodical and unpredictable. This kind of attack is called RansomOps.

To help healthcare CISOs, CIOs and other security leaders get a handle on these new types of attacks, Healthcare IT News interviewed RansomOps expert Chris Fisher, director of security engineering at cybersecurity firm Vectra APJ.

Fisher describes what RansomOps is, the damage it can do, steps that can protect against it, and how to explain the danger to the rest of the C-suite and the board.

Q. Healthcare CIOs and CISOs all know what ransomware is. What is RansomOps and how does it work?

A. Ransomware has evolved from simple malware, which was targeted at individuals with small payments, to a very organized service model that’s reminiscent of modern day software businesses.

RansomOps speaks to the move away from traditional malware, which is delivered in a much more predictable and automated manner, to what can be described as ransom-as-a-service. In this case, core operators, such as BlackMatter, Conti or REvil, provide the tools and the payment collections services with affiliates that will do the targeting and compromise the network.

It’s crucial to note that this model is driven by human attackers and isn’t scripted malware as it once was, as evidenced by the Conti attacker playbook that was leaked. This means humans are using attacker tools to move laterally within an environment, specifically avoiding modern security tools to increase their chance of success.

This approach also renders traditional signature-based tools ineffective as the attackers can think on their feet and pivot throughout networks in different ways. These attacks also are much quicker than traditional ransomware attacks.

We have seen RansomOps affiliates move through networks at great speed, with ranges of 8-30 days from initial compromise to encrypting a business. Another difference is that these RansomOps attacks move beyond regular ransom to extortion, with the attackers threatening to leak business data if the ransom is not paid.

The pandemic has led to the huge adoption of cloud, and alongside this we’ve seen RansomOp affiliates looking at new ways of targeting via public cloud platforms such as AWS and Azure. This provides attackers an opportunity to move from initial access to ransom at even faster rates than the already quick 8-30 days. In fact, these attacks can be completed within a day.

Q. What kind of damage can ransomware ops do to a healthcare provider organization?

A. We have seen the impact of ransomware in all verticals; however, the impact when it comes to healthcare has been significant. In the U.S., for instance, the Universal Health Services incident resulted in more than 400 healthcare providers being unable to access electronic records and numerous hospitals and medical facilities severely impacted.

In New Zealand, the Waikato Health District incident, which impacted 680 computer services, led to worrying delays in patient care and COVID-19 testing results, and critically ill patients having to be transferred to other hospitals.

We’ve also witnessed the very unfortunate events in Germany, where a patient lost their life in a Dusseldorf hospital due to ransomware. In the first half of 2020, a total of 22% of all Australian data breaches were in the health sector, according to government data.

When the ICT systems of Eastern Health in Melbourne were attacked by hackers, the incident resulted in significant disruption, including the cancellation of elective surgeries and huge stress on staff and patients.

The impacts of ransomware to critical infrastructure are real and can have devastating long-term effects. I believe this is one of the top drivers to legislation around the world stepping up protection for critical infrastructure.

This legislation highlights that governments are looking to take a more proactive response from law enforcement on these criminals to minimize the fallout of these attacks, and ensure patients get the care they need while staff have access to the services and tools of their trade.

Q. What steps can health CIOs and CISOs take to protect their organizations against RansomOps?

A. With all things in cybersecurity, there is no silver bullet. However, as a starting point, organizations need to have a strong cyber resiliency policy.

To achieve this, there needs to be a mindset shift from “if” we get compromised to “when” we get compromised. Once this mindset shift has occurred, then the policy needs to consider people, processes and technology, ensuring security teams have clear visibility of all assets on the network, including cloud and data center infrastructure.

This visibility is key to mapping out the attack surfaces that the organization is exposed to, and will help guide process, technology choice and people required to secure your organization.

Organizations also must invest in training all of their staff on cybersecurity, not just once but continuously to make sure they’re ready for when they see that phishing email come into their mailbox.

Practicing how the organization will respond to a ransomware incident through tabletop exercises with all senior staff and board members is an effective method. This will outline the responsibilities that the business has to securing itself for when these incidents occur, and ultimately speed up response times in an actual event.

From here a strong security architecture is required. Organizations need to have the ability to monitor across the cloud, data center, Internet of Things devices and enterprise networks, as well as having the ability to carry out real-time attacker detection and prioritizing detected threats.

This requires organizations to automate security analyst work and provide visibility inside the network. This may look like security teams augmenting with AI-derived machine learning models, as advanced technologies can more effectively function at a speed and scale beyond traditional methods.

Overall, organizations need to establish a company culture that understands risk, and then implement mitigating technology controls backed by procedures on how to identify, respond and recover from cyber incidents such as RansomOps.

Q. How do CIOs and CISOs talk to the rest of the C-suite and the board about the threat of RansomOps?

A. This is where we have seen huge progress in the last few years, as ransomware has become a board-level topic.

I believe that like all cybersecurity reporting, we need to have an approach that provides solid metrics at a business level, not a technical level. I have seen all too often that we tend to report technical metrics that the board doesn’t understand or are not relevant to broader business objectives, when in fact these issues do have a significant and negative impact.

On this note, the statistics and stories that are making headlines speak volumes. There’s no denying that these attackers are becoming better at infiltrating and taking down businesses and operations from the inside, and this is only extending as organizations adopt cloud services.

For instance, according to an annual report on global cybersecurity, there were a total of 304 million ransomware attacks worldwide in 2020, marking a 62% increase from a year prior and the second highest figure since 2016.

Not only that, but numerous reports cite those attacks are rising in cost, frequently reaching the million-dollar mark. The C-suite and board must be included in the conversation as costs increase to huge rates and security measures require companywide buy-in.

We need to ensure that boards are aware of the risks posed by RansomOps, and what the potential impacts are to the business. Again, tabletop exercises with the board go a long way to communicate the real impacts ransomware has on the business and the responsibilities that people have with these incidents.

We need to emphasize that these attacks have become much more sophisticated, and as a result it’s no longer enough to invest in tools but to develop internal knowledge and company culture and establish robust governance frameworks. It’s true that this is no longer a technology conversation but a business-wide conversation.

Twitter: @SiwickiHealthIT
Email the writer:
Healthcare IT News is a HIMSS Media publication.


Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Health Care

Spain, EU Propose to Keep Gibraltar Land Border Open, Spain Says




Spain and the European Commision have sent Britain a proposal to keep the Gibraltar land border open as part of a definitive solution settling the post-Brexit status of the enclave, the Spanish foreign ministry said today.

Spain, Britain and the European Union agreed on Dec. 31, 2020, hours before Britain’s full exit from the bloc, that Gibraltar would remain part of EU agreements such as the Schengen Area and Spain would police the port and the airport, pending a definitive solution. Spain’s Foreign Affairs minister Jose Manuel Albares told Spanish local and regional authorities near Gibraltar today both Spain and the European Commission had sent Britain “a proposal to make the area a zone of shared prosperity”.

The British ambassador in Madrid Hugh Elliott said on Thursday in an interview on Gibraltar TV GBC he was confident a deal can be reached this year.

The Spanish-EU proposal includes removing the fence to ensure free flow of people between Spain and the enclave, the Spanish ministry said in a statement.

“This requires Spain to take control, on behalf of the Schengen area, of Gibraltar’s external borders and, to this end, to be able to exercise certain functions and powers necessary to protect the integrity and security of the Schengen area,” it added.

About 15,000 people commute daily from Spain to Gibraltar, which has a population of about 32,000.

Spain has agreed to put aside the issue of its sovereignty claim over Gibraltar to focus on the opportunity to keep the border open, the Foreign Minister said.

Original Source:

Continue Reading

Health Care

SARS-CoV-2 Detection in 30 Minutes Using Gene Scissors




CRISPR-Cas is versatile: Besides the controversial genetically modified organisms (GMOs), created through gene editing, various new scientific studies use different orthologues of the effector protein Cas to detect nucleic acids such as DNA or RNA.

Original Article:

Continue Reading

Health Care

Unusual Type of Antibody Shows Ultrapotent Activity Against Zika




An unusual type of antibody that even at miniscule levels neutralizes the Zika virus and renders the virus infection undetectable in preclinical models has been identified by a team led by Weill Cornell Medicine, New York-Presbyterian and National Institutes of Health (NIH) investigators.

Source Here:

Continue Reading