A Ransomeware Attack:
Lessons Learned

By: Barbara Rubel, MBA, FRBMA
Senior Vice President, Marketing & Client Servies

Healthcare is more connected than ever, and vast amounts of protected health information (PHI) reside on interconnected networks.  To further complicate the cyber security landscape, COVID-19 has opened the door to new cyber threats.  Cyber-attacks happen most frequently through Microsoft Word attachments in an email.  Known as “Phishing” these emails look like legitimate messages; however, the attachments typically contain malware that is designed to harvest credentials or infect systems.  Many wonder why they are being targeted yet the more common approach, known as “spray and pray,” is the sending out of tens of thousands of emails with the hope someone will take the bait.

Definitions

Malware

Malware is any malicious software program that has negative behaviors or can be used by hackers to attack enterprise networks and systems.  In healthcare, malware is often used to access and download PHI for monetary gain, hijack systems for ransom, or delete data.

Virus

virus is a small computer program designed to spread from one computer to another and the goal of a virus is to interfere with a computer system’s operations.  Viruses are commonly spread in email message attachments or instant messaging and after the file is infected, it is modified from an ordinary file to a carrier which can then infect other files and data.

Worm

worm is like a virus in that a worm can spread from computer to computer, taking advantage of information or the file transport features of your system.  Worms are dangerous because of their ability to replicate throughout a system.

Trojan Horse

Trojan horse is a common but dangerous program (unauthorized code) that hides within legitimate programs.  Trojan horses can perform functions without the end user’s knowledge, and they can spread throughout a system, infecting files and raising havoc on a computer.

Backdoor Programs

Backdoor programs such as a rootkit allow a hacker to gain administrative access to a computer system through a backdoor (often used by IT professionals).  Some rootkits, designed to hide their existence, are used by individuals who are not authorized to access the system that is under attack or its data.

Big Companies Hit with Ransomware

Garmin is an example of big companies being hit with Ransomware and the Colonial Pipeline was attacked in May 2021.  A criminal gang known as DarkSide took responsibility.  DarkSide cultivates a “Robin Hood” image of stealing from corporations and giving to charity and claims it does not attack hospitals, nursing homes, educational or government targets.  

R1 RCM, a $1.18B medical collection firm was hit with ransomware called Defray whose delivery system is a malicious email that appears as though it came from the Information Technology Manager of a hospital.  A malicious Word or Excel document is attached and when an employee clicks on the document, the entire company is infected. 

MSN Healthcare Solutions was attacked by Ryuk on December 4, 2019.  Ryuk first appeared in 2018 and is believed to be used by Russian criminal groups.  Ryuk uses Trickbot[1] computer malware to install itself once access is gained to a network’s servers.  It can find and disable backup files if kept on shared servers and a demand for payment is made to release the data that the malware has made useless by encryption.  Ryuk infects and takes control of a computer network through phishing campaigns and these campaigns contain either links to malicious websites that host the malware or attachments with the malware.  Loaders start the infection sequence by distributing the payload and installing it on the victim’s machine.

Once Ryuk takes control of a system, it encrypts the stored data, making it impossible for users to access unless ransom is paid in untraceable bitcoin.  Days or weeks may elapse between the time hackers gain access before the massive encryption occurs, which allows for deeper penetration into the network to inflict maximum damage.  Ryuk also finds and encrypts network drives and disables the Microsoft Windows’ System Restore feature that allows restoring the computer’s system files, applications, and Window Registry to their previous, unencrypted state. 

[1] Trickbot is a recognized banking Trojan that targets both businesses and consumers and targets banking information, account credentials, and PHI.

Immediate Recovery Steps

MSN’s immediate recovery steps included deleting and reloading all servers from backup to a restore point prior to the infection.  All the servers are virtual, and they were deleted and clones were downloaded from MSN’s disaster recovery site.  Database servers were pulled down and restored from an offsite, independent data recovery site and each server was brought up and scanned individually before being brought back online.  The entire VMWare desktop environment was rebuilt from scratch with new images and passwords were reset for all domains, appliances, service accounts, switches, firewalls, printers and management consoles.

All remote site workstations were reloaded from scratch and remote sites were brought back online individually.  All traffic was monitored for two hours before access was given to all subnets and VPN tunnels were brought back online individually and monitored for infection.  HL7 and FTP interfaces were monitored for irregular activity and packet monitoring was watched closely during reload of the network to verify no exfiltration of data or “bad actor” traffic was passing thru the firewalls. 

Post Recovery Preventive Measures

Multiple agents including Cylance AV, Cylance Optics, Cylance Huntress, and InfoCyte were loaded on all servers, desktops, and Virtual Desktop Infrastructure (VDI) environments to prevent and report any further infections.  Canary files, triggered if a virus interferes with them and activating alarms, were also loaded on all network nodes to alert and isolate future infections.

A third-party security firm was employed to monitor all Cylance, Huntress, InfoCyte and firewall logs using Security Information and Event Management (SIEM) software.  SIEM software gives security professionals insight into and a track record of the activities within their IT environment.  The firm was also given the ability to shut down remote nodes (terminals or computers that are separate from the main network) in the event of detection. 

Ingress and egress DMZ zones (a security perimeter that monitors and validates all traffic trying to transit between networks) were added to separate and isolate nodes used to gather Client data from outside the main network.  And additional firewall and Intrusion Prevention Systems (IPS) added to newly created zones of traffic for more granular control of the data.

Email Management

Extensive security training was implemented through Barracuda Phishline security training, a training which teaches users how to identify and respond to potential security risks.  Bi-annual training courses are completed by all end users and mock phishing emails are sent regularly to test end user compliance with suspected phish email procedures.  Phishline reports document both compliant users and users who need more training.  Annual HIPAA compliance training is required by every end user and provides reports about users who need additional training.  New notifications are placed on Intranet alert zones to make end users aware of known phishing scams or current spam attacks on company emails and multi-layered spam filtering is put in place and monitored for attack patterns.

MSN IT has taken many steps to protect employees and the company from attacks; however, it is ultimately the employees’ responsibility to ensure emails are legitimate.  Employees are to review all e-mails in their entirety and they understand that just because an email states it from Bo Trotter, if the email address is btrotter@mmonroe.com it is illegitimate and should not be opened.  Anyone can open an email account on Gmail, Yahoo or Microsoft and put any name as the owner so checking and double-checking EVERY email is essential.  Employees are required to report emails they believe are malicious or phishing emails immediately. 

Many in the industry believe a cyber security attack is not a matter of if, but when, with potentially devastating effects. However, because of MSN’s quick identification and response to the Ryuk attack, only one day’s worth of work was lost, which was easily recreated. And even more importantly, no PHI was compromised. 

References

 

Barbara Rubel MBA, FRBMA Senior Vice President, Marketing & Client Services

Barbara Rubel MBA, FRBMA
Senior Vice President, Marketing & Client Services

Barbara has been a leader with MSN Client Services since 1998. Her extensive background in strategic planning, market research, healthcare marketing and managed care negotiations provides a wealth of information to support MSN Clients.

Barbara has also been highly involved in industry organizations, serving as President of the Radiology Business Management Association (RBMA), the Georgia RBMA, and the Florida RBMA. In addition, she chaired the influential RBMA Federal Affairs Committee and the RBMA Technology Task force and was a member of the RBMA Data Committee. Her work on behalf of radiology has earned her the RBMA Special Recognition Award (2010), the RBMA Global Achievement Award (2013), and she is a Fellow of the RBMA.