More and more hospitals and medical facilities are falling victim to ransomware.
Those impacted are under siege, relying on pen and paper to run the business as electronic data and systems are taken hostage.
At the hands of ransomware, critical business functions, such as email and payroll are unavailable. Patient-facing applications such as Electronic Medical Records (EMR), as well as the systems responsible for CT scans, documentation, lab work and pharmacy functions are no longer available either. A state of emergency is declared and manual processes are engaged while patients are turned away and transferred to other hospitals. Attackers are throwing health institutions in to the Dark Ages one by one and putting patient lives at risk – a literal life and death situation.
For those lucky enough to not be besieged, a brief background on ransomware is required. It’s the modern day take on kidnapping, but at a data and access level; it’s digital extortion.
It has seen extraordinary success through an effective payment channel (Bitcoin) and multiple attack vectors (phishing emails, infected files, and infected webpages). These are combined with a reduced risk to the attacker on monetization since data does not have to be exfiltrated and sold to various criminal organizations. Instead victims are extorted in order to regain access to their data and networks.
Today’s attackers and criminal enterprises have incorporated their own innovation to reduce the friction of these transactions.
Victims can recover data faster using self service and chat support. They are given customized step-by-step directions to guide them through the process of paying the ransom. To create a sense of urgency, a countdown timer is activated and the victim is warned that the data will be unrecoverable within two to three days. Usually, the privacy of patient and employee records is not compromised.
There are, however, incidents where data is held for ransom and victims are blackmailed with the threat of disclosure if payment demands are not met. At a minimum, disruption occurs when systems are shut off to prevent the spread from infected hosts. Regaining access to data can cost hundreds of dollars for consumer victims, while institutions have paid in the tens of thousands to regain access to networks and systems.
Ransomware like Locky, KeRanger, Cryptolocker, CryptoWall and TeslaCrypt, amongst 50 other variants, search local and network drives and encrypt critical files. The attackers, in turn, demand payment for the private key required to decrypt and regain access. Ransomware has been a plague on consumers for years, but in the last year, criminal organizations have been heavily targeting the healthcare industry. And it’s threatening expansion into other industries, including Banking and Finance.
I recently met with Citrix Chief Security Strategist Kurt Roemer to discuss this current trend in cyber extortion. He shared his thoughts around using virtualization as a framework supporting a non-traditional approach to thwart ransomware.
The traditional approach, which has failed spectacularly lately–across multiple organizations–depends largely on educating end users against attacks that are a combination of social engineering and malware. This includes:
- Educating end users to be on the lookout for and be wary of phishing attempts and other attacks
- Educating end users not to click on hyperlinks from unknown or untrusted sources
- Educating end users not to install software or purported updates from unknown sites
- Running antivirus and antimalware solutions to detect ransomware payloads
- Backing up data often so that multiple restore points are available (Might not work for transactional databases)
- Having a cache of Bitcoins available in the event that the above approaches fail
While the traditional approach is critical in a defense in-depth strategy, missing are several practices and mitigations that would further thwart ransomware attacks. These include a more application-centric approach to security.
- Sandboxing of the email client and browser
- Security hardening of the OS and critical applications
- Using one-time-use disposable browser sessions for all Web access and hyperlinks
- Configuring security to be application-specific and contextual
- Disabling active content by default and only enabling when needed on a per-app basis
- Whitelisting of only the acceptable domains and services required by the specific application
That this is not an exhaustive list, but it’s a good start.
Why aren’t these essential practices in common use today to protect organizations, sensitive data and users? Because they’d have to be installed and maintained on every endpoint – and that’s easier said than done.
Using virtualization, ransomware attacks can be further mitigated by adopting the following approach:
- Publish a virtualized, sandboxed, and hardened email client.
This can be either a traditional native client such as Microsoft Outlook, or web-based email including Google Gmail and Microsoft Office 365. Publishing the email client ensures that all required security settings are configured and consistent for all users and specific to use cases.
Antivirus, DLP (data leakage protection), whitelisting and other technologies are integrated with the published email application and are therefore not endpoint-dependent or endpoint limited. Furthermore, by using virtualization, only the pixels representing the email app are sent to the endpoint – no email messages, attachments or other data is actually sent to the endpoint.
- Publish virtualized, sandboxed, and hardened browsers that are application and usage-specific.
Multiple browsers such as Internet Explorer and Chrome can be published, and multiple versions can be maintained as required by specific applications. By configuring the browser specifically to support the unique security needs of each application and use case, extraneous settings, unnecessary active content and other undesired capabilities can be disabled. The virtualized browser also keeps sensitive data off the endpoint.
- All web usage, including hyperlinks in emails and social media apps are redirected to open in the sandboxed one-time-use virtual browser.
This browser instance does not have access to other applications, the endpoint, file shares, or other sensitive resources. Content inspection, whitelisting and other security measures can be integrated with the sandbox browser.
- Endpoint inspection checks that required antivirus, firewall, OS levels, patches and other security measures are available on Windows and Mac endpoints.
USB firewalling is configured to specify the use (or disallowance) of USB keys and peripherals on a per-application basis. If a more minimal endpoint footprint is desired, thin and zero clients, Chromebooks and other security-hardened endpoints work great with virtual apps and desktops.
Citrix has further detailed guidance on hardening virtual apps and desktops, securing published browsers and how to integrate solutions from Citrix Ready security partners.
Virtualization provides a strong framework for implementing security measures across any endpoint and usage scenario, including employee usage, BYO and for third-party access. By implementing the highlighted recommendations and working with your CSO to configure organizational-specific security measures, dangerous attacks including ransomware can be further protected against than in a traditional model.
While no strategy is absolutely 100% secure, by using a virtualized and extended security framework, you will likely get to keep many more of your Bitcoins.