A string of ransomware attacks revealed today in the United Kingdom have quickly spread to global scale, impacting dozens of countries around the world and disrupting systems critical to hospitals, telecommunications, and corporations in the process.
The ransomware variant known as WannaCry exploits a flaw in Microsoft software that was described in leaked NSA files and is reported to be the work of a criminal group called Shadow Brokers. The ransomware is spread through a phishing attack, which involves tricking email recipients into installing malicious software that encrypts the system so that the user loses access. The user is then prompted to provide a ransom in order to have their system restored.
As a result of these attacks, UK hospitals are reporting closures of entire wards and having to turn away patients, FedEx reported interference in a statement to NBC News, and telecommunications giant Telefonica is confirmed to be a victim of this attack.
The Department of Health and Human Services’ (HHS) Critical Infrastructure Protection Lead Laura Wolf issued the following letter today regarding the attack:
Dear HPH Sector Colleagues,
HHS is aware of a significant cyber security issue in the UK and other international locations affecting hospitals and healthcare information systems. We are also aware that there is evidence of this attack occurring inside the United States. We are working with our partners across government and in the private sector to develop a better understanding of the threat and to provide additional information on measures to protect your systems. We advise that you continue to exercise cyber security best practices – particularly with respect to email.
Critical Infrastructure Protection Lead
Avoiding the WannaCry Attack
First, make sure your Microsoft products are up to date with the most recent patches at all times. Here is a link to the critical patch for this exploit. This malware exploits a known Microsoft software flaw made public in a recent leak of classified NSA information. Microsoft issued a critical security update in March, but if you haven’t implemented this update you are vulnerable to these attacks.
Below are measures a system administrator should take to protect against attacks such as these, and as general best practices for strong security posture:
- Regularly take full snapshots of your data and store them offline. If your data is ransomed you will at least be able to go back to a pre-infection copy instead of starting from scratch.
- Be very aggressive with your email monitoring. Do not accept mail from blacklisted servers, or servers not conforming to best practices.
- Regularly educate and test users to make sure they are on guard.
- Practice the principle of least privilege with user account access. An infected user can only damage files his or her computer can reach.
Detecting phishing attacks is matter of educating your employees and continued trainings to reinforce good habits. Learn to recognize the signs of a fraudulent email–this article from the US Securities and Exchange Commission has a list of what to look for and protective measures you can take when something looks “Phishy.” Additionally, it is critical to ensure protections are applied universally by everyone at your organization–one weak link (or one employee who missed training on phishing attacks and didn’t notice a critical software update) leaves a vulnerability in your armor.
Compliance in the Event of a Ransomware Attack
Should you find yourself victim of a ransomware attack, the HHS Office for Civil Rights (OCR) updated their guidance on ransomware last year to directly address the question of whether a ransomware incident is a reportable breach.
RECENT BLOG POST:
Remaining Compliant with OCR's Ransomware Guidance
This type of attack is typically monetarily motivated–the attacker is primarily looking to receive a ransom, and the data may not have been exfiltrated or accessed. When it comes to assessing a ransomware attack as an incident which may require notification, however, one must consider:
- The risk of the data being unavailable for use
- If the data can be easily recovered from backup
- If there is a low probability that the PHI has been compromised.
Under this guidance, part of demonstrating “there is a low probability that the PHI has been compromised,” means entities must consider risk factors such as the high risk of unavailability of the data, or high risk to the integrity of data. Remaining compliant with OCR’s guidance requires that HIPAA-regulated entities - both covered entities and business associates alike - perform a risk assessment and maintain documentation that established a low probability of compromise in order to meet their burden of proof.
For RADAR customers, assessing a ransomware attack is built into the RADAR platform. Risk factor options allow you to profile and assess a ransomware incident in accordance to OCR’s Guidance.
- Remaining Compliant with OCR's Ransomware Guidance by RADAR CEO Mahmood Sher-Jan
- What is Ransomware and How can I Protect Myself? by Paul Wagenseil
- Avast Report: Ransomware that infected Telefonica and NHS hospitals is spreading aggressively, with over 50k attacks so far today.
- How to successfully implement the principle of least permission from Tech Republic
- “Phishing” Fraud: How to Avoid Getting Fried by Phony Phisherman from the US Securities and Exchange Commission
- View a global map of the WannaCry attack from independent security researcher MalwareTech