Ransomware

From Clinfowiki
Jump to: navigation, search

Ransomware is a type of malware (malicious software) that limits users from accessing all or part of their computer unless a ransom is paid, often in the form of cryptocurrency such as Bitcoin. Some forms of ransomware lock a computer’s screen and display a demand for payment. [1] The victim’s files remain untouched, however, and this form of ransomware can sometimes be removed without paying the attacker. [2] Newer ransomware called cryptoviral extortion encrypts a user’s files. This more advanced form of malware renders files inaccessible even if the malware is removed. [3] Thus, the victim must pay the attacker for the decryption key in order to regain access to his files.

History of encrypting ransomware

In 1989, Joseph Popp created the first known encrypting malware called the “AIDS Trojan” which was distributed on floppy disks via snail mail. This malware was limited in its design. The AIDS Trojan only encrypted the names of files and not the files themselves. Furthermore, the trojan used symmetric encryption (where the same key is used to encrypt and decrypt files) and the decryption key could be extracted from the code of the trojan. This made it unnecessary to pay ransom to reverse the effects of the trojan. [4]

The idea of using asymmetric or public key encryption was introduced by researchers Adam L. Young and Moti Yung 1996 at an IEEE symposium. [5] Actual ransomware using this scheme became increasingly common after 2005. [6] In asymmetric encryption, a different key is used for encryption (the public key) and for decryption (the private key). The public key is used to encrypt the victim’s files while the private key is known only to the creators of the ransomware. The ransomware’s effects cannot be overcome without paying for the private key. [5]

Mechanism of encryption

More recent malware such as CryptoLocker and WannaCry use a hybrid model combining asymmetric and symmetric encryption to capitalize on the strengths of both schemes. Using asymmetric keys allows the attackers to keep the private key secret. Symmetric keys allow encryption to occur more efficiently, enabling victim files to rapidly be encrypted. [7]

  1. The attacker creates a key pair. The public key is placed in the code of the malware. The private key is kept secret and known only to the attacker.
  2. When the malware is run on the victim’s computer, a random symmetric key is created locally and used to encrypt all of the victim’s files. This symmetric key is then itself encrypted by the public key in the malware and generates an asymmetric ciphertext. A message is sent to the victim with the asymmetric ciphertext and information on how to pay the ransom. The victim then sends both payment and the asymmetric ciphertext to the attacker.
  3. When the ransom is received, the attacker uses the private key to decrypt the asymmetric ciphertext to reveal the victim’s symmetric key. The symmetric key is sent to the victim.
  4. The victim then uses the symmetric key to decrypt the files. [8]

How ransomware infects computers

  • Email – Emails may contain infected attachments or links to infected websites.
  • Compromised Websites – Websites may have exploit kits which can infect a computer without any clicking. These websites contain malicious code that take advantage of vulnerabilities in software or browsers. If such a vulnerability exists (e.g., software patches that are not up to date), the exploit kit uses the vulnerability to download ransomware. [9] [10] [11] Even visiting reputable websites can expose a victim to exploit kits. For example, in 2016, malicious advertisements containing exploit kits affected The New York Times, the BBC, MSN, and AOL. [12]
  • Wormlike behavior – Certain ransomware uses a computer’s software vulnerabilities to spread throughout networks. For example, WannaCry and Petya spread via EternalBlue MS17-010. It exploited a vulnerability in Microsoft Windows operating system, specifically the network file sharing protocol Server Message Block 1.0 (SMB). This vulnerability allowed “applications on a computer to read and write to file and request services”, and the ransomware was distributed throughout local networks without any user action. Computers without the appropriate security patch were then infected and could spread the ransomware further. [13] [14]

Ransomware targets healthcare

The healthcare industry is a prime target for cyberattacks such as ransomware for many reasons.

Ease of attack

Hospital networks are quickly expanding to meet government requirements such as increased electronic health record information exchange. [15] However, the cybersecurity of these networks is not as robust as that of other industries like finance. The primary focus of healthcare IT systems is often patient care and rapid accessibility rather than cybersecurity [16][17]. In fact, it is estimated that less than 5% of hospital IT budgets are spent on security and there are often long delays before security patches are implemented [18] [19]. Hospitals are thus seen as “soft targets.”

Hospitals are more likely to pay ransom

Hospitals depend on rapid access to data in order to provide patient care. Ransomware attacks can result in compromised delivery of healthcare and lawsuits if patients suffer harm from delayed or cancelled appointments and procedures. This makes hospitals more likely to pay ransom to quickly regain access to critical and often irreplaceable data. [6] [20]

Healthcare data is valuable

Health data includes sensitive information such as social security numbers, insurance details, addresses, etc. Attackers can use this extensive information to perpetrate medical fraud and identity theft, access financial information, and extort money by threatening to reveal a victim’s personal history (15). The variety of possible criminal uses makes healthcare data valuable. A single patient’s health record can be sold on the black market for between $1.50 and $10. [21] This is up to ten times more valuable than a person’s credit card details. [22] However, this black market price of a single complete health record has actually fallen in 2016 due to the growing supply of breached healthcare data. (In 2015, the Department of Health and Human Services’ Office for Civil Rights estimates 113 million healthcare records were breached. [23] Before these large breaches, in 2012, a single record used to fetch $50 to $60 dollars. This fall in health record price has actually encouraged the number of ransomware attacks as cybercriminals need to steal more health records (or extort ransom) in order to achieve the same profit. [21]


The threat of ransomware to healthcare organizations is only expected to grow. The Verizon DBIR 2017 report showed that healthcare was the number two industry target for ransomware, behind Public Administration and ahead of Financial Services. In 2017, 72% of all malware incidents in the healthcare sector involved ransomware. [16] And the 2017 Experian Data Breach Industry Forecast report predicts that healthcare organizations will become the industry most heavily targeted by cybercriminals. [24]

Notable ransomware attacks on healthcare systems

  • February 5, 2016 – Hollywood Presbyterian Medical Center, a 434-bed acute care hospital, experienced a Locky ransomware attack and lost access to its computer systems. This caused severe disruptions and hospital staff had to rely on pen-and-paper. The systems were restored after the Hollywood Presbyterian paid the attackers $17,000 in bitcoin ransom. [25]
  • March 28, 2016 – 10 hospitals and 250 outpatient centers in the MedStar network, Washington DC were affected by ransomware, forcing a temporary shutdown of electronic health and email systems. [26]
  • March 2016 – Methodist Hospital in Henderson, KY was affected by ransomware and declared an “internal state of emergency” for five days until data was restored from backups. [6] [27]
  • March 18, 2016 – Chino Valley Medical Center and Desert Valley Hospital in Southern CA were attacked by ransomware. Affected computers and some hospital servers were temporarily taken offline in order to prevent further spread. Patient health records were not compromised but the attack caused significant disruption. [28]
  • 2017 – UK National Health Service – The WannaCry ransomware variant affected 48 UK NHS hospital trusts. Doctor’s offices were shut down, affected hospitals diverted patients to other facilities, and non-critical appointments and surgeries were cancelled. [29]
  • May 2017 – The first reports emerged of ransomware compromising medical devices in US hospitals. These attacks affected Bayer Medrad Windows based devices [30]

Impact of ransomware attacks on health systems

Ransomware attacks in healthcare systems are extremely damaging. First they endanger patient safety by preventing access to critical information in the medical record – e.g., allergies, medication lists, lab results, treatment plans, etc. Without this information, medical care can be rendered incorrectly or delayed. [20]

Legal ramifications for hospitals

As a result of the attack, a hospital may be subject to government action under the HIPAA Security Rule. [20] [31] A ransomware attack is considered a “security incident” defined as “attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” Due to the increasing frequency of ransomware attacks, the U.S. Department of Health and Human Services released a fact sheet giving detailed guidance regarding ransomware and requirements such as reporting of security incidents. [32] This fact sheet clarified that a ransomware infection is considered a HIPAA breach, defined as “… the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which comprises the security or privacy of the PHI.” [33] Specifically, ransomware encryption of protected health information is a breach since the data “was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.” [32]

How to prevent ransomware infections

  • Keep software updated with patches and security updates – this leaves fewer vulnerabilities for malware to exploit
  • Run antivirus software and keep it up-to-date
  • Do not click pop-up windows or links in suspicious emails.
  • Back up data so that if a system becomes infected, the data can be restored.
  • Have an organizational security plan
  1. Set a companywide schedule for computers to get the latest software updates
  2. Educate employees on security awareness and data hygiene [34]


References

  1. Ransomware. Trend Micro. Published 2017. https://www.trendmicro.com/vinfo/us/security/definition/Ransomware.
  2. Geier E. How to rescue your PC from ransomware. PCWorld. Published April 3, 2017. https://www.pcworld.com/article/2084002/security/how-to-rescue-your-pc-from-ransomware.html
  3. Nagpal B, Wadhwa V. (2016) Cryptoviral Extortion: Evolution, Scenarios, and Analysis. In: Lobiyal D, Mohapatra D, Nagar A, Sahoo M. (eds) Proceedings of the International Conference on Signal, Networks, Computing, and Systems. Lecture Notes in Electrical Engineering, vol 396. Springer, New Delhi
  4. Wilding E., Skulason F. (eds) Virus bulletin. The authoritative international publication on computer virus prevention, recognition, and removal. Published Jan 1990. https://www.virusbulletin.com/uploads/pdf/magazine/1990/199001.pdf
  5. Young, A, Yung M. (1996). Cryptovirology: extortion-based security threats and countermeasures. IEEE Symposium on Security and Privacy. pp. 129–140. ISBN 0-8186-7417-2. doi:10.1109/SECPRI.1996.502676
  6. Zetter Kim. Why hospitals are the perfect targets for ransomware. Wired. Published Mar. 30, 2016. https://www.wired.com/2016/03/ransomware-why-hospitals-are-the-perfect-targets/
  7. Kappuswamy P, Al-Khalidi SQY. Hybrid encryption/decryption technique using new public key and symmetric key algorithm. MIS Review Vol. 19, No. 2, March (2014), pp. 1-13 DOI: 10.6131/MISR.2014.1902.01 https://pdfs.semanticscholar.org/87ff/ea85fbf52e22e4808e1fcc9e40ead4ff7738.pdf
  8. Can files locked by WannaCry be decrypted: a technical analysis. Symantec. https://medium.com/threat-intel/wannacry-ransomware-decryption-821c7e3f0a2b
  9. Crowe J. Ransomware FAQ: how ransomware infects your computer. Barkly. https://blog.barkly.com/how-ransomware-infects-computers#infection Published Sept 2016.
  10. How ransomware infects computers. McAfee. https://www.mcafee.com/us/security-awareness/articles/how-ransomware-infects-computers.aspx
  11. Ransomware FAQ. Windows Defender Security Intelligence. https://www.microsoft.com/en-us/wdsi/threats/ransomware
  12. Goodin, D. Big-name sites hit by rash of malicious ads spreading crypto ransomware. Ars Technica. Published Mar 15, 2016. https://arstechnica.com/information-technology/2016/03/big-name-sites-hit-by-rash-of-malicious-ads-spreading-crypto-ransomware/
  13. Grobman, S. WannaCry: the old worms and the new. McAfee. https://securingtomorrow.mcafee.com/executive-perspectives/wannacry-old-worms-new/ Published May 12, 2017.
  14. Burgess, M. Everything you need to know about EternalBlue – the NSA exploit linked to Petya. Wired. Published June 28, 2017. https://www.wired.co.uk/article/what-is-eternal-blue-exploit-vulnerability-patch
  15. Kruse CS, Frederick B, Jacobson T, Monticone DK. 2017. Cybersecurity in healthcare: a systematic review of modern threats and trends. Technology and Health Care 25 (2017) 1-10.
  16. 2017 Data breach investigations report. 10th ed. Verizon. http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/
  17. Bai G, Jiang J, Flasher R. Hospital risk of data breaches. JAMA Intern Med. 2017;177(6):878-880. doi:10.1001/jamainternmed.2017.0336
  18. AHC Media LLC. Hackers target hospitals with “ransomware”. ED LEGAL LETT. 2016 Apr; 27(4): also available https://www.ahcmedia.com/articles/137468-hackers-target-hospitals-with-ransomware
  19. Newman, LH. The ransomware meltdown experts warned about is here. Wired. Published May 12, 2017. https://www.wired.com/2017/05/ransomware-meltdown-experts-warned/
  20. Cohen IG, Hoffman S, Adashi EY. Your money or your patient’s life? Ransomware and electronic health records. Ann Intern Med. 2017;167(8):587-588
  21. Increase in ransomware and cyberattacks linked to fall in price of health data. HIPAA Journal. Dec 2016. www.hipaajournal.com/increase-in-ransomware-and-cyberattacks-linked-to-fall-in-price-of-health-data-8622.
  22. Chinthapalli K. The hackers holding hospitals to ransom. BMJ 2017;357:j2214
  23. 2015: the year of the healthcare data breach. HIPAA Journal. Published Dec. 29, 2015. https://www.hipaajournal.com/2015-the-year-of-the-healthcare-data-breach-8239/
  24. Fourth annual 2017 Data Breach industry forecast. Experian. https://www.experian.com/assets/data-breach/white-papers/2017-experian-data-breach-industry-forecast.pdf
  25. Winton R. Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating. Los Angeles Times. Published Feb 18, 2016. http://www.latimes.com/business/technology/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html
  26. Virus forces shutdown of Medstar Health System’s 10-hospital computer network. HIPAA Journal. Published Mar. 29, 2016. https://www.hipaajournal.com/virus-forces-shutdown-medstar-health-systems-10-hospital-computer-network-3372/
  27. Monegain B. Methodist Hospital recovering from five day ransomware attack, claims it did not pay up. HealthcareITNews. Published Mar. 22, 2016. http://www.healthcareitnews.com/news/methodist-hospital-recovering-five-day-ransomware-attack-claims-it-did-not-pay
  28. Two more Californian hospital ransomware attacks reported. HIPAA Journal. Published Mar. 23, 2016. https://www.hipaajournal.com/two-more-californian-hospital-ransomware-attacks-reported-3368/
  29. Erlanger S, Bilefsky D, Chan S. U.K. Health Service ignored warnings for months. The New York Times. Published May 12, 2017. https://www.nytimes.com/2017/05/12/world/europe/nhs-cyberattack-warnings.html
  30. Fox-Brewster, T. Medical devices hit by ransomware for the first time in US hospitals. Forbes. Published May 17, 2017. https://www.forbes.com/sites/thomasbrewster/2017/05/17/wannacry-ransomware-hit-real-medical-devices/#75b8806b425c
  31. Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-91 (1996).
  32. Department of Health and Human Services. Fact Sheet: Ransomware and HIPAA. Accessed at www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf on 26 May 2017.
  33. 45 C.F.R. § 164.302-.318 (2016).
  34. Chen, BX. How to protect yourself from ransomware attacks. The New York Times. Published May 15, 2017. https://www.nytimes.com/2017/05/15/technology/personaltech/heres-how-to-protect-yourself-from-ransomware-attacks.html

Submitted by Abigail Huang