The ransomware epidemic: What fire chiefs need to know

By Ryan Stark, FireRescue1 Contributor

The ransomware epidemic is spreading as we enter the latter half of 2017 and it shows no signs of stopping. International attacks are locking down the computer systems of thousands of companies, including first responders [1].

The health care industry is the most targeted, and first responders and their vendors are at a high risk for a ransomware attack [2]. Why?

  • Infrastructure. Many providers are still running on insecure, antiquated and sometimes unsupported systems that are very easy to hack.
  • Resources. The industry continues to lag behind other sectors in the amount resources and training devoted to data security.
  • Valuable data. Providers and their vendors also hold critical data, such as employee records, social security numbers, member ID numbers and sensitive health information. Hackers know you need to access this data. They also know that medical information is worth much more than a credit card number on the black market today.

What is ransomware and how does it work?

Ransomware is a type of malware (malicious software) that denies access to data by encrypting it and then demanding a ransom to get a key to unlock the data.

Ransomware can infiltrate your system in several ways. A user can unintentionally download malware by opening a malicious email attachment or visiting a malicious website. Once downloaded into your system, ransomware begins locking down (encrypting) your files so that you cannot access them.

After a critical amount of information is encrypted, the malware phones home to tell the hacker to make a ransom demand. Then, the infected party receives a message – pay up or lose access to your encrypted data, forever. Typically, the ransomware directs the user to pay the ransom in a cryptocurrency, such as Bitcoin, to receive a decryption key.

Telltale signs that you’ve been infected with ransomware

Agencies are typically alerted to ransomware only after it has encrypted the data and alerted the user to its presence by demanding payment. But, there are some early indicators of a ransomware attack, including:

  • An employee realizes that a link that was clicked on, a file attachment opened or a website visited may have been malicious. For example, the user might have been unable to close a window or an attachment prompted another action on the computer.
  • An increase in activity in the central processing unit (CPU) of a computer and disk activity for no apparent reason. For example, the dates modified listed on files and folders are changing rapidly due to ransomware searching for, encrypting and removing data files.
  • An employee is unable to find or access certain files. Ransomware can encrypt, delete, re-name and/or relocate data.
  • IT personnel detect suspicious network communications between the ransomware and the attackers’ command and control servers. This activity would most likely be detected by IT personnel via an intrusion detection or similar solution.

What should you do if you discover ransomware?

  • Isolate the infected computer systems to halt propagation of the attack. This action may include disconnecting the workstation, server or other machine from the internet and the company’s network.
  • Determine the scope of the incident to identify what networks, systems or applications are affected.
  • Determine the origination of the incident (who/what/where/when) by scanning machines with anti-malware software.
  • Determine whether the incident is finished, is ongoing or has propagated additional incidents.
  • Investigate how the incident occurred (e.g., tools and attack methods used, vulnerabilities exploited).
  • Recover from the ransomware attack by restoring data lost during the attack and returning to business as usual operations.
  • Conduct post-incident activities, which could include a deeper analysis of the incident.

Your ransomware defense checklist

1. Conduct ongoing staff awareness activities and training on how to spot and report ransomware

2. Maintain updated firewalls and antivirus protection with intrusion detection/prevention

3. Employ email spam filters that block known malicious attachments

4. Configure Microsoft Office to disable automatic running of macros

5. Only grant access to data based on business need

6. Patch and update systems as soon as updates are available

7. Backup, backup, backup – backup frequently and keep backups segregated from the network

8. Periodically test your backups

9. Segment networks to reduce spread of infection

10. Consider getting insurance to cover the cost of ransomware attacks

References
1. Ng Alfred (2017, June 28). The global ransomware epidemic is just getting started. Retrieved from https://www.cnet.com/news/petya-goldeneye-wannacry-ransomware-global-epidemic-just-started/

2. Institute for Critical Infrastructure Technology (2016). Hacking healthcare IT in 2016: Lessons the healthcare industry can learn from the OPM breach. Retrieved from http://icitech.org/wp-content/uploads/2016/01/ICIT-Brief-Hacking-Healthcare-IT-in-2016.pdf

About the author
For over 15 years, Page, Wolfberg & Wirth has been the nation’s leading EMS industry law firm. PWW attorneys and consultants have decades of hands-on experience providing EMS, managing ambulance services and advising public, private and nonprofit clients across the U.S.

PWW helps EMS agencies with reimbursement, compliance, HR, privacy and business issues, and provides training on documentation, liability, leadership, reimbursement and more. Visit the firm’s website at www.pwwemslaw.com, call 877-EMS-LAW1 (717-691-0100) to talk to any of our attorneys and consultants or email Karen Kreider kkreider@pwwemslaw.com if interested in onsite compliance or documentation training.

PWW’s Ambulance Compliance Program Tool Kit is specifically designed to deal with the new overpayment refund rules with model forms and policies, a model compliance plan, code of conduct, and compliance training program.

Comments - Add Yours

Leave a Reply

Your email address will not be published. Required fields are marked *

*