With Threats of Ransomware Attacks Growing in Healthcare Sector, Victims Face Sanctions Risks from Paying Ransom

Monday, November 16, 2020

The threat of cyber-attacks is growing, particularly in the healthcare sector. That’s the conclusion of a new report issued by the FBI, Department of Health and Human Services, and Cybersecurity and Infrastructure Security Agency warning of "an increased and imminent cybercrime threat" to the nation’s healthcare providers. The federal government said six hospitals were hit with ransomware attacks within a 24-hour timeframe between October 26 and October 27.

According to the report, cyber criminals are targeting hospitals and health systems with TrickBot and BazarLoader/BazarBackdoor malware, which can result in data theft and ransomware attacks.

The report warns that TrickBot – which is a descendant of Dyre malware – provides a full suite of tools to conduct illegal cyber activities that include credential harvesting, mail exfiltration, crypto-mining, and the deployment of known ransomware including Ryuk and Conti. The report further warns that the combination of BazarLoader and BazarBackdoor are a newer flavor of malware first appearing in early 2020. BazasLoader/BazarBackdoor have become a commonly used malware for deployment of several known ransomwares – including Ryuk.

Government agencies are encouraging “healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats,” including ransomware. They are advising those who may be targeted to increase protections of their networks, including regularly updating software, backing up data and monitoring who is accessing their systems.

It’s important to note that healthcare is not the only industry subject to risks. Malware attacks for deploying known ransomwares are affecting organizations across the economy, in the United States and around the world. From universities to local governments to law firms, recent attacks have crippled systems. For example, in the legal industry, large law firms such as Cadwalader, Wickersham & Taft and Seyfarth have recently been victimized.

Once a network is infected with ransomware, one of the only ways to restore the system is to pay a ransom. The FBI, however, warns against paying ransomware fines since it does not guarantee an organization will get access to the corrupted data or systems. The FBI also warns that paying ransomware demands only encourages perpetrators to target more victims.

Aside from the FBI warning, paying a ransomware demand now also poses additional risks for organizations.  For instance, a recent advisory from the U.S. Department of the Treasury highlights “sanctions risks associated with ransomware payments related to malicious cyber-enabled activities.” As I previously posted, the advisory states organizations need to be deterred from paying cyber criminals because ransomware payments (1) could be used to fund activities adverse to the national security of the U.S.; (2) may embolden cyber actors to engage in future attacks; and (3) do not guarantee that the victim will regain access to its stolen data.  The advisory specifically identifies and prohibits ransomware payments made to cyber criminals located in sanctioned territories, including, at present, Cuba, Iran, North Korea, Syria, and the Crimea region. To the extent a U.S. person or entity facilitates the payment of a prohibited ransom, the advisory warns it can be subject to sanctions.

Mitigating Ransomware Attacks

To avoid being infected by malware attacks – and being susceptible to ransomware – mitigation plans and policies are not only recommended but should be implemented as part of an organizations daily practice. Some recommended practices an organization should implement include:

  • Patch operating systems, software, and firmware as soon as manufacturers release updates.
  • Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.
  • Use multi-factor authentication where possible.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Audit logs to ensure new accounts are legitimate.
  • Scan for open or listening ports and mediate those that are not needed.
  • Identify critical assets such as patient database servers, medical records, and telehealth and telework infrastructure.
  • Create backups of critical systems and house the backups offline from the network.
  • Implement network segmentation – i.e., sensitive data should not reside on the same server and network segment as the email environment.
  • Set antivirus and anti-malware solutions to automatically update; conduct regular scans.

Aside from these practices, organizations should also be implementing awareness and training for targeted end users.  Awareness and training should inform employees whom to contact when suspicious activity is identified, or if when subjected to a possible cyber-attack.

Conclusion

Risks of cyber-attacks is growing. It’s more important than ever to have plans and protocols in place to prevent an attack and respond to an attack if it occurs. For assistance with cybersecurity issues, please contact Brooks Kushman attorney John Rondini.