Ransomware Revisited

What we have been observing since our first report is that ransomware and malware tools are rapidly evolving to trick users into installing it onto their computers. And attacks are becoming increasingly sophisticated. For example,

• If you are scanning your email for possible “phishing” attempts to get you to download malware, be aware that no matter how carefully you examine the embedded link, it can be almost impossible identify malware websites based on the URL.
• It used to be thought that PDF documents were safe. No longer. A new ransomware variant has emerged that will embed itself inside a PDF document.
• Some variants that are emerging will also leak your data if you don’t pay the ransom. Will keeping your patient files on a server outside the clinic help prevent this? Perhaps, but remember that for network efficiency reasons temporary files are frequently generated on local computers every time files are downloaded and reports are printed, all of which may contain confidential data.

Since our last “best practices” post was published, we have noticed it seems a number of clinicians and even some IT technical support staff have mistaken ideas about the threat of ransomware in medical and dental clinics. Here are some examples.

“I don’t keep my electronic medical records (EMR) data on my Windows laptop. It is stored on a Linux server, so if ransomware hits my computer, it won’t be affected”. Simple answer, no, that’s not correct.

• Linux systems are not immune to ransomware. And more and more cross-platform threats are appearing, due to multi-platform frameworks that are available nowadays under Linux. Frameworks such as Adobe Flash and Reader, Java, JavaScript, Perl, PHP, Python, Ruby, etc.
• In addition to mapped network drives which are always at risk, Microsoft Active Directory is now being used by some ransomware for reconnaissance and to spread across an entire network, encrypting files on every server and computer.
• There is nothing to prevent other malware to be installed along with ransomware that could exploit vulnerabilities on any system.

“If ransomware hits my computer, I have other computers that I can use until I get my laptop back”. Don’t depend on this. Some types of ransomware can propagate across a network. And besides, if your clinic is unfortunate enough to experience it, you will be immediately affected, without warning. Do you really want to have to deal with this problem when you have a waiting room full of patients?

“If I am hit with ransomware, I’ll simply recover my data from backups” We agree, backups are essential to recover from an attack. But only if backups are done right.

• Any information you have entered that has been encrypted by ransomware since the last backup may not be recoverable.
• We have seen cases where perfectly good backups have been overwritten with later scheduled backups where dormant malware will simply reinfect the computer when it is restored.
• If the backup is located on a shared drive that a user can access with a network-connected computer, ransomware can encrypt those backups, too.

“If ransomware strikes, I’ll pay the ransom to get my files back.” That, of course, is your decision, and with respect to some forms of ransomware, the FBI has actually recommended this. But just know that:

• There are known variants of ransomware that will encrypt your data, but the ‘unlock’ key you receive after paying the ransom may not actually unlock it. In the case cited, involving a hospital, the extortionist tried asking for more money.
• Attendees at an RSA cybersecurity conference in February learned that 31% of victims have been hit multiple times, and 25% did not get their data back, even after they paid the ransom.
• Even if you pay the ransom, this doesn’t necessarily resolve the risk of personal health information having been disclosed. It should be treated as a potentially serious privacy breach.

The impact: Ransomware may do more than just lock you out from using your laptop or desktop computer. Once it gets a foothold in your clinic, it can be difficult and costly to eradicate. The threat to clinic business continuity and protecting patient personal health information is considerable. Understanding the specific risks your clinic may have at this time is a vital first step towards taking proactive measures to mitigate them and ensuring you have well-tested procedures to quickly recover if needed.

The bottom line: Please take the threat of ransomware in your clinic seriously. Make sure you have tested, proactive measures in place to mitigate risks before ransomware hits.

If you need help, contact us.