RANSOMWARE and Healthcare There is more risk than just money

Content • What is ransomware • History • Ransomware in Healthcare • Prevention • Future Trends

What is ransomware

Ransomware History The first known ransomware was "AIDS" (also known as "PC Cyborg"), written in 1989 by Joseph Popp. Its payload hid the files on the hard drive and encrypted their names, and displayed a message claiming that the user's license to use a certain piece of software had expired. The user was asked to pay US$189 to "PC Cyborg Corporation" in order to obtain a repair tool. Popp was declared mentally unfit to stand trial for his actions, but he promised to donate the profits from the malware to fund AIDS research AIDS Trojan was ineffective due to its use of symmetric cryptography, since the decryption key can be extracted from its code

Ransomware History By mid-2006, Trojans such as Gpcode, TROJ.RANSOM.A, Archiveus, Krotten, Cryzip, and MayArchive began utilizing more sophisticated RSA encryption schemes, with ever-increasing key-sizes. Gpcode.AG, which was detected in June 2006, was encrypted with a 660-bit RSA public key.[28] In June 2008, a variant known as Gpcode.AK was detected. Using a 1024-bit RSA key, it was believed large enough to be computationally infeasible to break without a concerted distributed effort.

Ransomware History Encrypting ransomware returned to prominence in late 2013 with the propagation of CryptoLocker—using the Bitcoin digital currency platform to collect ransom money. In December 2013,ZDNet estimated based on Bitcoin transaction information that between 15 October and 18 December, the operators of CryptoLocker had procured about US$27 million from infected users. The CryptoLocker technique was widely copied in the months following, including CryptoLocker.

Ransomware History Q1 2016 – 300 % 362,000 variants 1000 variants per day 4000 attacks per day 325$ Million USD

Anatomy of ransomware

Delivery Methods 1. 93 % of phishing email are now delivering ransomware (Macros, JavaScripts) 2. Drive by downloads - Exploit Kits (Angler, Neutrino, Magnitude, Rig, etc..) 3. Vulnerabilities (Flash, Java) 4. Social Networks 5. USB Stick

Industries Affected

Ransomware in Health

Why hospitals are perfect targets ? 1. Doctors are gods and don’t let anybody tell them what to do 2. If you have patients, you are going to panic way quicker than if you are selling sheet metal. 3. Have not enough trained their employees on security awareness 4. Don’t focus on cybersecurity in general primary concern is ()PAA compliance 5. Have often paid ransom to retrieve vital patient data quickly

Potential impact of ransomware 1. No email 2. No access to patient records 3. Lab works disrupted 4. Pharmacy disrupted 5. No CT scans 6. Ambulances and patients turned aware and sent to other hospitals 7. Monitoring PCs impacted 8. Potential public relations controversy 9. No access to medical test results

Examples (2016-2015) 1. Medstar Union Memorial Hospital in Baltimore 2. Methodist Hospital in Henderson Kentucky (17,000 USD) 3. 3 hospitals operated by Prime Healthcare Management, Inc. were forced to shut down systems (Chino Valey , Desert Valey and Alvarado Medical Center) 4. Hollywood Presbyterian Medical Center (10 days of downtime 3,000,000 USD- 17,000 USD) 5. Kansas Heart Hospital (paid ransom only got partial access) 6. Ottawa Hospital 7. Christopher Rural Health in Illinios 8. Titus Regional Medical Center, Texas 9. Lukas Hospital , Germany 10. Premera Blue Cross, Multiple locations 11. King’s Daughters (ealth, Southwest )ndiana

Hollywood Presbyterian Hospital • 10 days of downtime • Average cost $7,900 USD per incident a minute (Over $ 113 Million USD) • Est. downtime from loss of CT scans alone : $1,000,000 USD • Cost of ransom : $17,000 • Manual tasks required double time for physicians to perform • Hidden costs

Case In Point • Possibly paid ransom • Legal costs • Notification costs • Restoring impacted assets costs • Internal/external communications costs • Overtime costs for IT personnel • Damage to reputation and brand • Regulatory penalties and fines • Increased compliance and audit costs • Lost trust from patients Sources: Intel Security analysis; Ponemon Institute’s Cost of Data Breach study; Modern Healthcare’s annual Hospital Systems Survey.

Still Reportable Under HIPAA? Yes, you do have to report a ransomware attack on your healthcare organization to the HHS, since the data was still accessed by unauthorized individuals.

Shit hits the fan… 1. Isolate the infected machine 2. Alert law offices (FBI, IC3, Canadian Anti-Fraud Centre) 3. DON’T PAY T(E RANSOM !!!! 4. https://www.nomoreransom.org/ 5. Reimage 6. Restore 7. Pray 8. Documented Incident Analysis and Response

An ounce of prevention is worth a pound of cure 1. Awareness, Awareness, Awareness 2. Backups 3. Security Software 4. Patch Management 5. Network Segmentation 6. Identity and Access Management 7. Disaster Recovery Plan 8. Policies and procedures 9. http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf

Future Trends – it s all bout the money • )t’s not a malware problem it’s a criminal business digital currencies and dark web • Higher ransoms, shorter times (Cryptoworm demands $1,000,000 USD within 8 hours) • Better delivery, higher returns • Getting personal – exposing data • Ransomware as service – business like operations • Mobile Devices, IoT, Smart Houses, cars

Questions

Thank You Eduard Gershfang [email protected] 514-943-6106 www.linkedin.com