Thursday, April 7, 2016

U.S., Canada Issue Joint Alert On 'Ransomware' After Hospital Attacks

The United States Department of Homeland Security (DHS), in collaboration with Canadian Cyber Incident Response Centre (CCIRC), released this Alert on March 31, 2016, to provide further information on ransomware, specifically its main characteristics, its prevalence, variants that may be proliferating, and how users can prevent and mitigate against ransomware.

DHS defines ransomware as “a type of malware that infects computer systems, restricting users’ access to the infected systems. Ransomware variants have been observed for several years and often attempt to extort money from victims by displaying an on-screen alert. Typically, these alerts state that the user’s systems have been locked or that the user’s files have been encrypted. Users are told that unless a ransom is paid, access will not be restored. The ransom demanded from individuals varies greatly but is frequently $200–$400 dollars and must be paid in virtual currency, such as Bitcoin.”

The Alert comes in response to an increasing number of ransomware attacks on the systems of healthcare organizations. In the past month, five organizations have reported being hit by computer viruses.

Targets so far include various Prime Healthcare Services hospitals, Hollywood Presbyterian Medical Center, King's Daughters' Health Hospital, and the MedStar Health system.

A spike in ransomware use by hackers goes back to 2012, when such attacks estimated profits of $33,000 a day for the hackers.

That has led to a proliferation of ransomware variants, said the statement from the United States-Computer Emergency Readiness Team and the Canadian Cyber Incident Response Center.

Some variants of ransomware encrypt not just the files on the infected device but also the contents of shared or networked drives, according to US-CERT/CCIRC. These variants render the users' files useless until criminals receive a ransom.

One variant, called Locky, has infected computers belonging to healthcare facilities and hospitals in the U.S., Germany and New Zealand, the cybersecurity organizations warned.

It propagates through spam e-mails that include malicious Microsoft Office documents or compressed attachments (e.g., .rar, .zip).

US-CERT recommends that users and administrators take some of the following preventive measures to protect their computer networks from ransomware infection.

·         Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
·         Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.
·         Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
·         Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing.

For more tips and suggestions, visit the official Alert (TA16-091A) here.

The original article by Joseph Conn can be found at the following address:

No comments:

Post a Comment