Tim Gurganis - Ransomware Threats to the Healthcare Industry

industry uh and uh um really privileged uh to have him here today one with all of our great speakers and uh at last count over 715 uh attendees so it's going really well up with thees austa um I now timers okay thank you um I'm Tim ganis um currently I work for Cisco Systems as a security investigator uh the past couple years I've worked a lot with healthcare companies that have been affected by ransomware attacks so I wanted to share a bit of my observations about some of the common vulnerabilities through the healthare industry and also talk about the active attacks uh using ransomware that I have investigated so here's the quick outline um oh back on the first slide this

presentation is online um on my box account uh has also put up on slides share just this morning if you search for like ransomware healthcare you probably will find it um and I'll have this link again at the end um so I want to talk about um common vulnerabilities and Healthcare um that I've observed um what Cisco active threat analytics team does that I work on is we monitor the networks of our customers so we have a full pcap tap we have a log collection and so forth so that's how we get visibility into um their network and to monitor their security um I want talk about a little bit about uh the mass distributed

attacks of ransomware as well as some targeted attacks um and also at the end talk about um some recommendations and some instant response suggestions so due to the increasing cost of providing Health Care uh Healthcare is adopting a lot of new technology to provide better care to patients and to reduce the cost of providing that care so you see a lot of new computerized equipment uh being brought in and plugged into the hospital because they want to eliminate um paper and the inefficiencies and cost of keeping records that way so you have the EMR systems or or sometimes called electronic health record systems um that are being installed um hospitals are networking together to reduce costs and

increase efficiency um these systems are being designed U for functionality and reliability but not necessarily security hardened and so that leaves U the network vulnerable to some cyber attacks just some observations from a lot of the customers I've worked with um half of them when we started our relationship didn't have an incident Response Team um at some point when we do our investigation do all Network Transitions and the impact assessment and all that we have to turn it over to the customer and we would ask them okay who is going to be the the person on point in your it security team to you know receive these investigations and and work with us to mitigate these threats and um they often

that was a process they had to begin when they started you know other relationship and we were doing their monitoring and um so that's one thing they really weren't prepared for some type of Cyber attack um another thing is that they're all running uh equipment that is connected to some type of older version of Windows it might be an MRI machine that has a an interface that's running Windows um but often uh the machine is working fine and providing excellent care but the operating system of the controller is no longer supported no longer patched and has as a result many security vulnerabilities also hospitals networks are diverse um the average hospital has 50 different kinds of devices um so

everything from um you know an Oracle database server to uh heart rate monitor uh to a uh lab machine that does you know blood gas measurement or something so you have all these types of uh computerized devices that get plugged into the networks many of them were not designed to be on a network the uh and they're definitely not designed to be secure on a network um they don't have authentication they often don't use encryption um and they don't get security patches um another observation is that um the anti staff at a hospital is generally smaller than it ought to be um and they're very busy the CIO of a hospital may have 100 to 200 active

projects some of them are security related most of them are not um and so it's very difficult in some cases to get the right visibility to security threats to get the dollars alloc allocated and the the Buy in from the sea level to solve some of these problems so what are some common vulnerabilities that I've observed first of all there's still using shared passwords for things like service accounts in a lot of cases particularly those used on like I said embeded controllers or or backend systems that do uh that are used for the accounts are used for maintenance but they allow a lot of access to the system and therefore to the network um there's low

use of encryption um most of the devices don't do a lot of logging so when you do have an incident there's not a whole lot to do forensics on um but it also means that your detection for attacks is is not very good um they have weaker flawed encryption that is their the key link is too short the algorithm using is not secure they have poor randomization um some of the basic flaws that you know have been solved in other verticals um but have yet to be addressed often with the medical devices um they often if they're running web have applications they have um remote violent food vulnerabilities Pro vural injection vulnerabilities you know just

some of the basic um common vulnerabilities that we see and um these uh are not being patched um in a lot of cases because the hospital doesn't have the resources to uh test the patches uh plus they have a lot of applications to test um like I said already they're still using devices with out ofate operating systems these could be older versions of Linux as well as Windows but the ones have been causing most problems seem to be Windows um there's not much authentication to put a on the network um there's also not segmentation in the network so once you get a even something like a hbac building controller online it can actually talk to a lot of the

other networks in the hospital including you know the ER the lab the the uh the admin area and so forth so um this is a problem because once in a attacker gets inside the network they're free to move around and do lateral movement um there's low use of knack which is something I've already mentioned uh another challenge is um they have so many uh distinct it teams so at One hospital I was at recently they said they have five teams they had the uh it team that did the like the lab equipment and they actually calibrated the machines as well as did the uh Network Administration just for the lab machines that did you know blood tests and and

bodily fluid tests and and various analysis that you need to do then they have the admin systems which was HR and um and payroll and that kind of thing and then they had the clinical uh it group that that did uh a administration of the things that actually touch a patient so this was all your monitoring equipment for their P socks their heart rate um and so forth um and then you had like the building and physical security group so this was people that had the electronic thermostats that were networked the security cameras system all that and they would these groups didn't talk to each other and so one of them for example the building um

management people could put like a big hbac controller on the network and it may have some vulnerabilities and now you're exposing that U the admin systems and the and the lab systems to that that potential attack and so this is a challenge um that I've seen in a number of healthcare organizations what's been the impact of these customers every one of my customers has had some type of ransomware incident they've had systems that were encrypted mostly by mass delivered ransomware such as um crypto wall Tesla Crypt or locky most common way that I've seen them being infected is to uh click on a link or go to a website where there was malvertising and this is back when

angler XO kit was active and you'd see a lot of infections because they didn't patch Flash and they would get uh a malicious download through their web browser the second way is opening email attachments that they show um as you can imagine hospitals passed around a lot of reports some of them were attached to emails and it was very common for their in their business to open up these attachments which in the case of an attack contained malicious macros U that would install ransomware on the machine um 75% of medical institutions you know believe they have or have been a victim of ransomware or believe they have been um and so we can say in general the

healthcare is lagging in its defense and protection from cyber attacks and this puts your um pii your your personal identical information and your um Phi your Healthcare information at at risk um some other Graphics um this is from a firey BL um the line at the top there is the uh healthc care industry uh where they saw attacks of this particular locky ransomware um going into a healthcare Network and the graph is not linear U and it probably doesn't show up very well but this is 50% so over 50% in this one particular campaign um was going into healthc care uh vertical below that you have like Telecom and transportation um but this is a a common

theme that I've seen amongst my customers as well I have customers that are not in healthcare and the impact of ransomware is is lower for them they're not getting as many infections um from these particular times of attacks um and ransomware is continuing to grow there's there's new families um and there's more actors or adversaries that are using ransomware um we've seen some adversaries that were Distributing say password Steelers or credit card Steelers that have switched to using ransomware um for monetizing their activities so uh one example from malware bites is that um December of last year 177% of all malware payloads from exploit kit attacks were ransomware but by May of 2016 6 months later 61% of

those payloads were were rans somewh U this is just a typical attack of incident I've seen um earlier this year Hospital staffer goes to this medical related website the day metric company and um that particular website at the time was compromised and there was a uh hidden ey frame on every page that would redirect you to load this other compromise website where you would be redirected to the angler exploit kit so just by going to this website which seems like a reasonable thing for the hospital staff to do um they end up getting in this case the Tesla Crypt uh ransomware on that machine so how the way exploit kits work if if you don't

know um once you get to the landing page and you load that in your web browser there's code on that page that's going to determine the version of flash that you have and the browser you're using and the operating system version then it's going to select an exploit that works against that version in this case the hospital had like a golden image they were using to install all their PCS and it had like flash version 11 which the new one is like 21 um and so uh an exploit for version 11 was download and when it succeeded it downloaded um Tesla Crypt which is ransomware and began encrypting the machine we knew that because we could see the communication

back to the command and control URL which is um this uh tach channel.com and so this is fairly typical um we find that hospitals have computers that are not up toate um and they're also not patching them as I mentioned earlier there are often hundreds of applications in a hospital and they just don't have the resources to test them all to make sure the patches don't break something and so I found that they're very hesitant to want a patch but you know after you see a lot of this um you know I think we've convinced most of them to begin that process but it will take time because of the number of applications they're and

configurations that they're testing um we've also seen infections come from staff using personal email accounts on their workstations in the hospital um usually they're not getting them from the hospital's official email servers but a lot of them are allowed to access the uh their personal email they open an attachment they shouldn't and they get ransomware that way um so I just want to review quickly some of the active ransomware families um so the first one is Crypt XX um which is believed to have been developed by the same group that wrote the rit in ransomware which was came out years ago but this is a case where they you know had a uh an adversary that's been

involved in malware for a while and they decided to write a a ransomware malware they're Distributing it via exploit kits as well as via malicious email attachments um it has have some features to uh avoid detection by automated sandboxes so it will sit there idle for like an hour and then it will begin encrypting uh so that you know it will perhaps time out the sandbox also so the user doesn't associate like opening that email or going to that web page with getting ransomware they the two events happen far enough apart they don't correlate um but uh R Crypt XX will also maybe um monitor for Mouse moving or check the name of the CPU in the

registry in order to determine whether it's in a sandbox or whether it's on a real machine Crypt XX will encrypt files on the local drive as well as those on mounted drive so so USB devices or network mountage shares if it can write to them it's going to try and encrypt them in addition to encryption functions cryp XX will also steal your passwords at rest and your Bitcoin if it can find it so it's going through the file system looking for stored passwords and shortcuts to your web browser or your FTP client or your email client so in addition to dealing with all the ransomware applications and restoring your files after you get cryp texx

you'll need to change all your passwords another active family is the server ransomware server is distributed by well it's just email attachment as well as by exploit kit and I just had a few example subjects from campaigns that I've seen uh where server was the payload of an email um and noticed that they're kind of business related so it could be the name of a company it could be uh this user has shared a message with you um and it'll lure you to open the attachment or it could be a fake uh file sharing message that indicates that you know someone's shared a file with an important file with you um so these seem to be targeting more business users than

than say a home user um server has been the payload from the Drex botnet um usually the uh form of the attachment that has the malicious macros is a word doc although they have experimented with uh using RTF uh files as well as well as using the the newer JavaScript downloaders so in this case you have a zip file attached to an email inside as a Javascript file it's really small and that script will um execute when you open it um using the windows scripting engine to download the ransomware and then uh run it some interesting things about servers command and control communication is it uses UDP uh on this for 6892 and you can see it scans a large

range of IP addresses one of these I've seen these three used and I think that's just make it more difficult to block their command and control communication lastly we have the locky ransomware which I think is probably the one I see the most in terms of the mass distributed um this one seems to be exclusively distributed by um email attachment um using the dread X botnet which used to deliver the DX info stealer um these this particular buet only runs on weekdays so again some indication they're targeting businesses because businesses have money to pay pay their anom um ly uses an affiliate model so you got cooperating uh adversaries you know um designing a version of lcky with

their affiliate and then being distributed um by the D X spet here at the graph at the bottom here is the the very first day locky came out which is in February of 2016 and you can see that due to low detection by antivirus the number of infections rose right U Rose quite a bit on the on the very first day so a bit about ransomware propagation so some people ask me does ransomware spread from system to system and none of the mass distributed ransomware that I just covered has any kind of spreader function built in um and so in cases where you've seen that happen where an initial infection occurred and then it spread to you know

20 40 60 PCS within a network there was some actor doing the spreading we were using a script probably but it was an intentional Mission just to Target that particular Network um I've seen this with crypto wall back when it was active that they would get a special build that wasn't detected by antivirus um just for a specific Target because they already had add some remote access into that Network often the spreaders use uh Windows utility called PS exec which is Handy for moving files to another system once you have a appropriate password and then um kicking off the encryption on those the systems they can access so in those scenarios where it's a targeted attack I've seen um them

break into into like a J boss server which wasn't patched and then they would dump the memory or search the memory of that server looking for active directory credentials and then once they had a list of credentials they would scan the network to see where those worked then they would build a Target list create the keys that we're going to use to encrypt that that particular Target and then distribute the ransomware and the keys and then kick it off with the scheduled task so at the same time throughout the hospital um they would run an encryption routine and then this Ransom note would show up on the display saying that you had to pay 1.5 Bitcoin

per machine in order to get your files back this is what happened at the Hollywood Presbyterian Medical Center um which you may have heard about in the news but it also happened at some other locations some other hospitals um some even in other countries so here's a story based on an actual incident um on a Sunday night the uh Hospital staff noticed it problems beginning computers showing strange messages um this particular hospital had 10 large hospital locations and actually like 300 uh Partnerships or off-site outpatient type um locations and they had over 370 app applications that they use throughout these these Hospitals and Clinics so they followed their IR plan um and they began the IR actions to to

deal with this certain applications not working and so forth and they assessed that by Monday morning early that the situation was getting worse and that they had a ransomware attack in this case um they decided not to pay the ransom and so they determined they would need to shut off their electronic health record system and um affected of course all of their locations uh impacting patient care building management system their ability to order supplies and equipment and so forth no patients were put at risk by this but they were definitely degraded in their capabilities because they couldn't use their computers um some lessons learned from this um they said you know plan for this to happen at your location um because

it's happening everywhere as you see um Healthcare institutions are are being attacked by by ransomware um this is different from a Phi type breach because you're you're in a denial of access to your computer so sound like your computer information's being stolen um plan to have an incident command center that coordinates all of the now manual activities that you're going to have um because your computer network is not available uh rehearse the plan um include an alternate Communications capability that is still hippoc compliant you know there was a Temptation everybody start just using your cell phones to send emails and text messages or communicate that way but some of that violates your compliance so you can't can't just do that you have to

have a plan that is an alternative to the normal Network or normal way of doing things but it's maintains that compliance another thing that they hadn't planned for was that the recovery would take of a three three weeks so within 72 hours they had restored critical applications but it took a full 3 weeks before everything was back to normal and so during that time certain processes had to be done manually on paper using you know a different special process so if you've been rehearsing to have like one application go down now what imagine what you would do if they were all down um but um this is what they they went through another thing um

I've seen them break in through the I've mentioned hbac controllers a number of times because we have seen some Brees where that was how they got in and then due to no no segmentation um that was allowed them lateral movement inside the network um this may happen because the uh remote access on the HBA systems is not secure or it may happen in one case we saw where the vendor support guy came in used the terminal sitting next to the controller to read his personal email and got brought in the ransomware that way um I'm going to skip this slide about how [Music] how it might get worse um because I'm running out of time

um there are some host mitigations that I I have seen be effective one is you can enable click to activate on your flash plug-in that way when you go to a page that has those banner ads like this they aren't run automatically they will have to click on it in order to see them Um this can be effective in um preventing or making it require one more step before those flash exploits just run when you go to the page another is to change the way Windows handles JavaScript as I mentioned we're now seeing the email attacks that the uh attachment is a ZIP file and contains a little JavaScript whose sole function is to download malware and run it on your

computer but there's really no purpose for having a JavaScript email attachment and so at your email Gateway if you can block Zips that just contain JavaScript do it also change the way Windows acts when you click on a Javascript file so that it opens something innocuous like notepad instead of running the script on your system which would then infect your machine um there's no reason to have JavaScript in a hospital so you're not really reducing the functionality of the applications here's some instructions on how to do it um you basically click right click on a Javascript file so that you pick an application that's not the uh wscript interpreter but is in fact you know something harmless like like

Notepad um another idea is to use Canary files you can create some files on your desktop and then have a monitor process anytime something tries to write to those or encrypt them it it gets killed and this is the idea behind this utility called anti Ransom which will do all that for you you install anti- Ransom and it will create a a dummy folder of documents and if you get ransomware and it sees those documents and tries to encrypt them then it'll that process will be killed and then it'll display this warning um this doesn't stop all encryption but it'll stop most of it right because it's there's no guarantee that the first files the ransomware goes

after are your Canary files so but when it gets to those that process gets killed so this seems to be effective way to based on the file activity um ify an someware and stop it um some recommendations I've already covered a lot of these but you know have a backup and test your backup recovery patch flash because it's the most commonly exploited um middleware application um patch your web applications um don't enable macros uh in your uh office and um try using the click to activate uh to uh disable Flash except when you specifically click on the content um some final thoughts um compliance is not equal security so a lot of hospitals spend a

lot of money on hippoc compliance and other privacy protections which are very important but that doesn't mean that they're secure and that they're they're not vulnerable to these cyber attacks get to know your vulnerabilities on your network know what's on your network I have one customer now that's been scanning their Network for two months just to find out all the different kinds of devices they've got and what operating system they're running because they just didn't know and it's it's impossible to defend and protect your systems if you don't know what they are or what their vulnerabilities are um then have a comprehensive security policy that addresses you know these vulnerabilities and manages them to reduce your risk make sure that

includes your provider or your Partnerships you know of of off-site facilities and Clinics um but I think you know don't give up with uh proper planning and awareness uh executing your security strategy um and your healthare systems can be protected um and these are two places I put this presentation um up on slides share as well as um on my Cisco

box and I think that's it if are there any burning questions I hope you learned something I enjoyed presenting here today yes sir have you seen anything else outside I know you said password andil we started to see some kind of things as anybody has Phi I have not seen anything like that that that is one of my what if it gets worse predictions is that you could see ransomware actors threatening to to do a HIPPA breach if you don't pay the ransom um and so that hasn't happened but it's conceivable that it could all right thank you Tim we don't have time for any more appreciate it