State and local law enforcement agencies and local public hospitals and healthcare facilities are prime targets for ransomware, according to cybersecurity experts, because of the nature of their networks and the ignorance of their workers, who are often untrained on how to avoid such attacks.
Ransomware, through which malicious actors infect a computer system or network with malware and hold data or the system hostage in exchange for payment, has recently infected some high-profile targets, including Apple’s Mac OS X operating system.
James Scott, a senior fellow at the Institute for Critical Infrastructure Technology, told StateTech that ransomware is frequently aimed at the healthcare industry now, but other sectors remain vulnerable. Despite the widespread danger, he said there are concrete steps organizations’ information security teams can take to reduce IT security risks.
In February, Hollywood Presbyterian Medical Center in Los Angeles was hit by a ransomware attack and was unable to access its computer systems for nearly two weeks after the hackers encrypted its data. As the Guardian reported, the hospital regained access only after it paid the attackers $17,000 in the digital currency bitcoin.
“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom,” Allen Stefanek, president and CEO of Hollywood Presbyterian, said in a letter. “In the best interest of restoring normal operations, we did this.”
Last week, the Melrose Police Department in Massachusetts purchased a bitcoin for $489 and turned it over to cybercriminals to regain access to its network after they infected a detective’s laptop with an email virus, according to the Melrose Free Press.
Scott said that in terms of ransomware, “the healthcare industry as a whole is absolutely the weakest link in our nation’s critical infrastructure.” The reason? Partly because there are numerous devices in hospitals that are connected to the Internet but are unsecured or have not been patched, and hospitals are environments where there is a lot of data flowing through wired and wireless networks.
With hospitals and law enforcement agencies, hackers will try to get employees to click on spear phishing emails by using terminology that appears to be work related but in fact contains malware, Scott said. So they might send hospitals messages purporting to be from medical-device vendors or that discuss a billing issue. Or cybercriminals will engage in a “watering hole” attack, whereby they infect with malware a website that users frequent regularly (such as an industry-related organization or association), thus eventually getting into the company networks of the victims.
“It’s more about manipulating human psychology and the human element, as opposed to technological sophistication,” Scott said. “They are not considered as of yet to be an advanced persistent threat.”
Besides hospitals and law enforcement agencies, public elementary and secondary schools are also likely ransomware targets, Scott said. Ransomware is more likely to infect organizations “that are known for being lackadaisical with their cybersecurity hygiene,” he added, noting that law enforcement agencies are typically not too tech-savvy and there is not a lot of training on spear phishing attacks.
But there are steps government agencies and other organizations can take to mitigate ransomware threats, according to Scott. The first is that they should have an information security team that is separate from their IT team. The former should check on third-party- vendor relationships to make sure all devices are patched and secure. The information security team is also typically the only group that is able to put together a true crisis-response strategy, he said, and should conduct a threat analysis to find out where the weakest links are for an organization.
A second key step is for the information security team to engage in training and awareness so an organization can develop and use cybersecurity hygiene best practices and make sure staffers follow them. Scott said this work should cover both threats targeting specific industries and general threats.
Organizations should also establish policies and procedures to ensure that all computer systems are set up properly with anti-virus and anti-malware software and are connected to user-behavior analytics systems to monitor users.
Finally, Scott said agencies should make sure they create layered security systems. That involves whitelisting certain traffic for firewalls and also explicitly denying traffic from sources like TOR and I2P (which let users surf the web and send data anonymously).
In addition to layered anti-virus and anti-malware systems, Scott recommends that organizations have backup and redundancy systems to securely back up data. “It’s not enough to just do it at the end of each day,” he cautioned. “It should be done in real time.”