Ransomware can hit all types of organizations from small companies to large corporations to government agencies. Even hospitals aren’t immune to such attacks. But now with so many in the healthcare industry focused on treating coronavirus cases, the last thing they need to worry about are ransomware attacks.
Though some ransomware groups have actually pledged to leave hospitals alone during the COVID-19 outbreak, other groups are clearly exploiting the situation. A blog post published Wednesday by Microsoft reveals how the software giant is trying to help some hospitals defend against ransomware and what advice it has for such organizations.
SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic)
Ransomware can be damaging to any business, as it holds critical data hostage; with most companies, the loss can be measured financially. But when a hospital is attacked with ransomware, the cost can be measured in human life, either through direct patient care or through research being done on vaccines and medicine. Further, hospitals are now so focused on the coronavirus that medical staff and employees may forget the usual security protocols when dealing with email and other content. All of this makes them potentially easy prey for ransomware.
Though a range of criminal groups and campaigns are known to employ ransomware, Microsoft in its blog post focused on REvil, also known as Sodinokibi. This campaign exploits gateway and VPN flaws to gain entry into organizations. This type of strategy is especially rampant now as so many more people are working from home or remotely. If successful, these attackers can steal user credentials, elevate their privileges, and then move across compromised networks to install ransomware and other malware.
Gangs like REvil use human-operated methods to target organizations most vulnerable to attack. These include hospitals that haven’t had the time or resources lately to install the latest patches, update their firewalls, check user account privileges, or ensure proper security practices. In many cases, attackers start by checking out a compromised network in stealth mode and then deploy their ransomware months later.
With its network of threat intelligence sources, Microsoft said that it found several dozens of hospitals with vulnerable gateway and VPN appliances. To help them, the company sent out targeted notifications with vital information about those vulnerabilities and how attackers can exploit them. Microsoft also urged these hospitals to apply the necessary security updates to stay better protected.
SEE: Ransomware: What IT pros need to know (free PDF) (TechRepublic)
All hospitals and healthcare organizations need to defend themselves against ransomware, especially during this challenging time. As such, Microsoft offers the following tips to aid them:
- Apply all available security updates for VPN and firewall configurations.
- Monitor and pay special attention to your remote access infrastructure. Any detections from security products or anomalies found in event logs should be investigated immediately. In the event of a compromise, ensure that any account used on these devices has a password reset, as the credentials could have been exfiltrated.
- Turn on attack surface reduction rules, including rules that block credential theft and ransomware activity. To address malicious activity initiated through weaponized Office documents, use rules that block advanced macro activity, executable content, process creation, and process injection initiated by Office applications. To assess the impact of these rules, deploy them in audit mode.
- Turn on AMSI for Office VBA if you have Office 365.
- Harden internet-facing assets and ensure that they have the latest security updates. Use threat and vulnerability management to audit these assets regularly for vulnerabilities, misconfigurations, and suspicious activity.
- Secure your Remote Desktop Gateway using solutions like Azure Multi-Factor Authentication (MFA). If you don’t have an MFA gateway, enable network-level authentication (NLA).
- Practice the principle of least-privilege and maintain credential hygiene. Avoid the use of domain-wide, admin-level service accounts. Enforce strong randomized, just-in-time local administrator passwords. Use tools like Local Administrator Password Solution (LAPS).
- Monitor for brute-force attempts. Check excessive failed authentication attempts (Windows security event ID 4625).
- Monitor for the clearing of Event Logs, especially the Security Event log and PowerShell Operational logs. Microsoft Defender ATP raises the alert “Event log was cleared” and Windows generates an Event ID 1102 when this occurs.
- Determine where highly privileged accounts are logging on and exposing credentials. Monitor and investigate logon events (event ID 4624) for logon type attributes. Domain admin accounts and other accounts with high privilege should not be present on workstations.
- Use the Windows Defender Firewall and your network firewall to prevent Remote Procedure Call (RPC) and Server Message Block (SMB) communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.
“The alert from Microsoft about the increased risk of cyberattacks to hospitals through their VPN networks highlights why businesses need to be prepared for cybercriminals to capitalize on COVID-19 in more ways than one,” TrapX Security CEO Ori Bach said. “Standard ransomware attacks aren’t slowing down, but companies should also expect hackers to exploit the weaknesses of applications previously requiring physical access exposed to the internet via VPN due to the crisis. Medical devices are especially vulnerable as they rely on legacy OS and are susceptible to malware such MedJack. Any device connected via VPN is a potential attack surface, whether that be a laptop or medical device such as electronic medical record systems, MRI, or blood gas analyzers.”