Ransomware and the Ultimate Fallback
With recent, acute cyberattacks, including the Colonial Pipeline takedown, ransomware continues to crescendo as a burning topic and top priority for executives. However, ominous impacts are being realized far beyond cyberspace and corporate coffers – as the aftershocks are felt by not only organizations, but also the general public. Lines at gas stations and inflated prices were prime examples.
Zooming in closer to home, multiple San Diego area Scripps hospitals were hit with ransomware on May 1st and continue to be heavily impacted due to unnamed ransomware. Little information is available about the takedown, remediation progress, or projected restoration timelines. Word on the street is the hospitals are being forced to revert to pen and paper to function in a significantly downgraded mode (more on that topic later). Inbound patients were being diverted to other area hospitals, placing a strain on EMS systems doing transport and ER/Admissions at other facilities, all during ongoing COVID healthcare facility impact.
Given the dearth of low-level information about this attack, let’s step back for a bit and discuss ransomware in general.
The ransomware kill chain has lengthened considerably. Back in the day, attacks involved simple email attachment execution which was limited to the privileges and file/data access of the person who was not trained about phishing. Today, common kill chains start with a variety of entry points (including phishing, externally available RDP services, VPNs, network/security element zero days, etc.) and then progress to an array of nefarious activities. In a presentation that I created 6 years ago called Anatomy of a Hack, I would walk an audience through an interactive hack of a system, starting from nothing more than a business card obtained during a conference.
Using an Internet-accessible, insecure web application as the entry point, I would hack my way into internal networks, exfiltrate sensitive data, inject highly targeted backdoor code into applications being developed, create multiple persistence mechanisms (so I could get back in later even if they booted me out), and LASTLY encrypt files/data just before launching the ransom note. Many people still think that a ransomware attack is JUST the encryption part. In-fact, it is often the last stage of the kill chain.
In Scripps’ case, it is likely that PHI (Protected Healthcare Information) was exfiltrated from their networks, given the modus operandi of other ransomware attacks. If that is the case, there are state and federal laws -- for example the Health Insurance Portability and Accountability Act (HIPAA) of 1996-- mandating breach notification with some very explicit specifications. Decryption of the data left in place is another matter entirely.
The key to stopping ransomware attacks is to inject as many defensive mechanisms as possible throughout the kill chain. That means at points such as the ill-defined and ever-expanding network security “perimeter”, the new “internal” networks, at the host/machine level, data level, email stream, personal cloud services streams, removable media, BACKUPS, protection of online BACKUPS, the creation of OFFLINE
BACKUPS (notice a theme here?), the unsecured 3rd party companies that are part of the supply or demand chains, cloud infrastructure, outsourced IT, etc. An incredibly daunting, lengthy, and expensive task, but one that must be undertaken regardless.
The final safety net, that last-ditch maneuver, is the proverbial elephant in the room, something no one wants to talk about: manual systems.
Falling back to manual systems is never a popular notion. Finance teams shake their fingers at it because it adds extra cost, the very costs they drove down by removing as many expensive humans from the loop as possible. Task performers dread it. Besides having to learn using multiple complex systems, oftentimes double-entering information or function as the integration mechanism, they understand how to revert to using manual systems.
Backing down the tech stack from high-tech to low-tech, and possibly all the way to manual, all during an emergency situation-- where people’s very lives may be on the line and the entire world may be watching -- that is a process which I would not wish on my worst enemy. Well, maybe (just kidding).
To that end, below are some simple steps to assist, should your organization be forced to tread that ugly path.
Manual systems, oftentimes physical, must be maintained to the greatest extent possible and updated and tested on a regular basis.
Manual processes must be documented.
Personnel must be trained in the usage of, and transition to, manual systems upon hire and on a regular basis throughout their employment.
Forms must be stored in electronic format and enough copies pre-printed and stored onsite in a manner allowing for rapid access (maybe even using the infamous 3-ring binder), allowing management personnel to provide real-time, on-the-ground directions to employees. For all other staff, forms may be printed on-the-fly during the crisis.
BCP/DR plans should be sharpened and prepared to handle a fallback to manual generally and an incident of ransomware specifically.
Organizations need to retain cyber-experienced legal counsel and cybersecurity insurance from a carrier that can handle ransomware events. This should include managing financial hostage negotiation of your critical data. The more high-profile the organization, ESPECIALLY critical infrastructure, the greater the need for employment of an emergency critical messaging capability. This capability, whether an internal group or an external agency, is needed to deal with incident information management, including interfacing with law enforcement, other government agencies, press agencies, and direct inquiries from the general public.
Yesterday was the right day to prepare for ransomware and a fallback to manual.
To learn how you can emulate a Ransomware attack to determine your readiness, CLICK HERE.