Protecting from Ransomware in Healthcare Can Mean Life or Death

Posted by Geraldine Hunt on Thu, Jan 14th, 2021

A ransomware attack in the Healthcare sector led to fatal consequences. A cyber-incident was reported in Germany that led to the unnecessary death of an elderly woman suffering from an aortic aneurysm. The woman’s ambulance was rerouted to an alternative hospital, because the original hospital shut down emergency services due to a ransomware attack. This incident is considered the first ransomware attack responsible for a death.

Hackers Find Vulnerabilities in Common Software

For security researchers, keeping up to date with the latest vulnerabilities in common software is part of the job, but for the average network administrator, reading the Common Vulnerabilities and Exposures (CVE) is not a common daily task. Oftentimes administrators are too busy to research cybersecurity incidents. Many administrators also lack the understanding of cybersecurity to defend against common attacks.

The CVE database is available publicly, and attackers use it to formulate sophisticated attacks against organizations that have not patched their systems. Unpatched software is responsible for the University Hospital Düsseldorf’s downtime and its ability to only treat half of its normal 1000-patient capacity. The hospital claims that it patched the Citrix software responsible for the ransomware attack, but it’s clear that the patch was either incomplete or never patched at all in January when it was released.

The critical vulnerability, if exploited, would allow an attacker to perform remote code execution on the targeted system. Critical vulnerabilities are rare for any major software vendor, but when they happen administrators should make patching a priority. Unfortunately, since administrators don’t normally review the CVE database regularly, they are unaware of the vulnerability until it’s too late.

Paying the Ransom Doesn’t Always Result in Data Recovery

In many ransomware attacks, targeted organizations have no choice but to pay the ransom. The University Hospital had 30 corrupted servers with massive amounts of data encrypted using the ransomware’s key. Not even the hospital's email was functioning at the heart of the attack. Ransomware authors make efforts to encrypt any important files found on the network. The malware will scan the network and find important files, encrypt them with the attacker’s key, and only the private key can be used to decrypt data. The encryption algorithm used is cryptographically secure, so even the best security researchers are unable to crack the code.

Ransomware that does not result in decryption is inefficient for attackers, so in many scenarios the private key is delivered for data recovery. In this ransomware attack, the data encrypted was so massive that decryption failed. The hospital suffered several days of downtime and required security experts to safeguard the organization against further attacks. The patient’s death was a tragedy caused by unpatched systems, but it’s questionable if authorities will charge attackers with direct responsibility for the patient’s death.

Ransomware Continues to Be a Severe Threat

Many small businesses and even larger organizations don’t have the resources for a full-time security researcher and analyst, so they rely on system administrators without the necessary cybersecurity skills to protect from sophisticated attacks. The solution to this problem is to use cybersecurity tools that will detect vulnerable software and network resources. Another solution is using tools that stop attacks on common vectors. A common vector for ransomware attacks is phishing.

Using email filters, many of the common ransomware attacks can be stopped before users can run the executable code. Although this does not stop remote code execution vulnerabilities, email cybersecurity is a great first step to protecting the organization’s infrastructure from most ransomware attacks.

Usually, ransomware starts with a malicious email message addressed to users within the organization. The email messages could be sent to targeted users, or attackers could email random users. Targeted users usually have high-privileged accounts, but random high-volume messages only require one user to fall victim to the phishing email. With email cybersecurity and filters, these messages never reach the targeted user’s inbox, so the risk of threats is eliminated.

Another common cybersecurity defense is content filters. Using DNS-based content filters, system administrators reduce the risk of users downloading ransomware and other malware that can damage the local device. Stopping the malware from being downloaded is a major defense strategy for enterprise organizations with enough employees that just one successful attack could destroy productivity and revenue.

The attacker responsible for the University Hospital ransomware is still unknown. The attackers may never be brought to justice, but this tragedy should serve as a warning to other organizations that ransomware can have dire consequences. With the right cybersecurity tools including email and content filters, administrators can protect the organization’s network from one of the worst threats in the wild.

You can protect your organisation from cyber-attacks, with minimal cybersecurity skills using the TitanHQ products, SpamTitan and WebTitan.  Get in contact with a TitanHQ team member and discover how you can easily protect your organization.