Jon Tomes
You may think that I am going overboard with all my recent blogs about ransomware. But I’m not. It is that much of a problem. The Cybersecurity and Infrastructure Security Agency (“CISA”), the Federal Bureau of Investigation (“FBI”), and the Department of Health and Human Services (“HHS”) have each issued an advisory warning about increased ransomware activity targeting the health care and public health sectors.
The warning is about the Ryuk and BazarLoader ransomware that is commonly delivered as a secondary payload by the TrickBot Trojan. TrickBot is capable of mail exfiltration, cryptomining, and data exfiltration from point-of-sale systems and acts as a downloader of other malware variants, including the Ryuk ransomware. Using readily available hacking tools, ransomware gangs can identify and shut down security applications to prevent detection of the ransomware and may even manually remove certain security applications that would otherwise stop the ransomware from executing. Attempts are also made to delete backup files and Volume Shadow Copies to prevent victims from recovering their files without paying the ransom. The victim is told how much to pay to a specified Bitcoin wallet for the decryptor and is provided a sample decryption of two files. For a more complete explanation of this malware, go to the advisory at https://us-cert.cisa.gov/ncas/alerts/aa20-302a.
These government agencies have issued this warning based on credible information of an increased and imminent threat of ransomware to U.S. hospitals and public health systems in the hope that they will take reasonable and timely precautions against this serious threat. They view this threat as more serious because of the COVID-19 pandemic’s effects on the health care IT infrastructure.
These agencies encourage threatened organizations to maintain business continuity plans—that is, the practice of executing essential functions through emergencies, such as cyberattacks—to minimize service interruptions. In addition, see the CISA and MS-ISAC’s Joint Ransomware Guide at https://www.cisa.gov/publication/ransomware-guide.
Please use the following Sample Ransomware Prevention and Response Procedure, and please stay safe out there:
Ransomware Prevention and Response Procedure
Introduction
[Name of organization] has adopted this Ransomware Prevention and Response Procedure to comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) (hereinafter “HIPAA”); the Department of Health and Human Services (“DHHS”) security and privacy regulations; and the Joint Commission on Accreditation of Healthcare Organizations accreditation standards, as well as our duty to protect the confidentiality and integrity of confidential medical information as required by law, professional ethics, and accreditation requirements. In addition, this Ransomeware Prevention and Response Procedure will assist [name of organization] in fulfilling its obligation under the DHHS privacy regulations to mitigate damages caused by breach of individual privacy. All personnel of [name of organization] must comply with this policy. Familiarity with the policy and demonstrated competence in the requirements of the policy are an important part of every [name of organization] workforce member’s responsibilities.
Assumptions
This Ransomware Prevention and Response Procedure is based on the following assumptions:
• Breaches of security, confidentiality, or [name of organization]’s policies and procedures may occur despite security and confidentiality protections.
• Prevention of security incidents and breaches is essential to protect individually identifiable health information.
• If, notwithstanding security measures, incidents and breaches occur, early detection and response to such breaches are critical to stop any such breach, correct the problem, and mitigate any harm.
• Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid. It most commonly either encrypts files or locks down the system.
• Most ransomware attacks involve infected email. Once the data user has opened the email, the malware encrypts the user’s system and/or data.
• Health care organizations are prime targets for malware. In 2018, health care entities accounted for 34 percent of all malware attacks.
• Ransomware could result in severe harm to our patients, our operations, our finances, and intangible costs, such as loss of reputation, loss of consumer confidence, and regulatory sanctions.
• Ransomware payments often go towards promoting highly illegal and unethical conduct, such as people smuggling, sex trafficking, drug dealing, gun running, and organized crime.
• Malware attacks typically rely on a vulnerability in an operating systems, application, browser, or plugin.
• With proper preparation, the impact of a ransomware attack can be mitigated. Backing up data and key infrastructure are the first steps to ensuring that data users can continue operating and recover from a ransomware attack.
• Backing up data on the system likely will be ineffective because ransomware often seeks out all data on the system.
• Cloud-based backups, while essential, can make restoration a slow and painful process. Hybrid backups―that is, combining a local cache with a cloud-based backup―make restoration faster and less painful. Recovering large files from the Internet may take a long time. Restoring 150 GB of lost data, such as in voluminous paper records, would, for example, take a whole working day,
• Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.
• All personnel must know how to respond to ransomware attacks.
Policy
This Ransomware Prevention and Response Procedure policy is intended to implement reasonable and appropriate security measures to prevent ransomware attacks and, if prevention fails, to appropriately respond to them to regain control of our system and access its data expeditiously.
Responsibility
The [security officer][office manager][other] is responsible for implementing this Ransomware Prevention and Response Procedure policy.
All workforce members with access to health information must comply with this Ransomware Prevention and Response Procedure policy protecting the security and confidentiality of health information from ransomware attacks as specified below.
Prevention of Malware Infection and Response Procedure Policy
The [security officer][office manager][other] will employ a data backup and recovery plan for all critical information in accordance with the [name of organization] Backup and Disaster Plan. The [security officer][office manager][other] will perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Because network-connected backups can also be affected by ransomware, critical backups must be isolated from the network for optimum protection.
Malware protection must include hybrid backup with both local and cloud-based backup.
The [security officer][office manager][other] will keep our operating system and software up-to-date with the latest patches. Ensuring vulnerable applications and operating systems are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
The [security officer][office manager][other] will maintain up-to-date antivirus software, and scan all software downloaded from the internet prior to executing.
The [security officer][office manager][other] will restrict users’ ability (permissions) to install and run unwanted software applications and apply the principle of “Least Privilege” to all systems and services in accordance with [name of organization]’s access policies.
The [security officer][office manager][other] will implement reasonable and appropriate security measures to ensure that staff avoids enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine.
The [security officer][office manager][other] will implement reasonable and appropriate security measures to ensure that workforce members do not follow unsolicited web links in emails.
Detection of Ransomware Policy
Often a message pops up telling you that a ransomware attack has happened. Your web browser or desktop is locked with a message about how to pay to unlock your system and/or your file directories contain a “ransom note” file that is usually a .txt file. All of your files have a new file extension appended to the file names, such as as: .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .encrypted,
.locked, .crypto,_crypt, .crinf, .r5a, .XRNT, .XTBL, .crypt, .R16M01D05, .pzdc, .good, .LOL!, .OMG!, .RDM, .RRK, .encryptedRSA, .crjoker, .EnCiPhErEd, .LeChiffre, .keybtc@inbox_com, .0x0, .bleep, .1999, .vault, .HA3, .toxcrypt, .magic, .SUPERCRYPT, .CTBL, .CTB2, .locky or 6-7 length extension consisting of random characters.
Responding to Ransomware Attacks
Data users who suspect a ransomware attack has infected your computer, immediately unplug your system (e.g. Ethernet cables) from the [name of organization] network and disable any other network adapters, such as wireless network interfaces. Next, data users should ensure that their system is fully disconnected from any [name of organization] networks and the internet to prevent the spread of the ransomware to shared network resources such as file shares. Data users should contact the [security officer] [other individual or resource] if they need assistance in disconnecting their system.
[OPTIONAL—to be decided by IT security specialist: [The data user will immediately take a photograph of the screen with his or her cell phone to provide to law enforcement or security specialists.]]
Data users will immediately report a suspected ransomware attack in accordance with [name of organization]’s [Report Policy][Report and Response Policy] with the following caution: do not report using the system but instead use out-of-system bands to avoiding spreading the malware. After any necessary immediate action and immediate report, the data user will fill out the Security Incident Report Form and submit it to the [security officer][office manager][other].
The [security officer][office manager][other] will report the malware attack to law enforcement and relevant insurance carriers.
The [security officer][office manager][other] will determine whether decryption tools, such as No More Ransom! (https://www.nomoreransom.org/), can be used to decrypt the files.
The default (preferred) policy is not to pay the ransom because the hacker may not decrypt the files until a second ransom is paid or not at all or decrypt only part of the files. The decision must, however, be made on a case-by-case basis considering the ability to decrypt the files and restore the system, patient health and safety, the amount of the ransom, and any other relevant factors.
Enforcement
All workforce members of [name of organization] must adhere to this policy, and all supervisors are responsible for enforcing this policy. [Name of organization] will not tolerate violations of this policy. Violation of this policy is grounds for disciplinary action, up to and including termination of employment and criminal or professional sanctions in accordance with [name of organization]’s medical information sanction policy and personnel rules and regulations.
_________________________________ ______________________________
Signature of Workforce Member Date
_________________________________ ______________________________
Title of Workforce Member Printed Name of Workforce Member
_________________________________ ______________________________
Signature of Witness Printed Name of Witness
