15 Jan 2020
The recent flurry of ransomware attacks strikes again: at Premier Family Medical, a Utah clinic, a particular strain of ransomware has put 320,000 patients in jeopardy, which places it among one of the largest ransomware-induced breaches of 2019. The clinic reported that on July 8, the attack rendered it unable to access data from certain intra-organizational systems. As soon as the block was noticed, it was reported to law enforcement, and the clinic’s technical consultants were dispatched to investigate and take back control. As of yet, no patient information appears to have been accessed or stolen. Nevertheless, patients with Premier have been notified that their data may have been exposed, and the clinic is working to improve its system-wide security to prevent such an incident from occurring again. A Premier spokesman revealed that the attack made use of Ryuk ransomware, and as the clinic dealt with the breach, the staff briefly returned to paper records to continue operating. As such, they were able to provide care without interruption, despite the wide range of the attack.
Dangerous NegotiationsThe spokesperson declined to comment on whether Premier had paid the ransom to regain access to its data, but if that were the case, it would not be the first organization to default to that “solution.” In a ransomware attack, important data is exposed and encrypted by attackers, who offer a ransom to be paid in exchange for the data decryption. But paying the ransom isn’t as simple as it sounds. For one, folding to the attackers’ demands may encourage more ransomware attacks in the future. It also brings up the important point that threat groups monitor each other, and if they catch on to one particular payload being more effective—i.e. a certain ransomware program—they will be more likely to switch to it in the future. There is also the far more malicious possibility that once the ransom is paid, the data may not be decrypted at all. There have been records of attacks in which the attackers raised the ransom as soon as the organization paid up, leaving them open to extort a larger fortune.
Prevention Pays OffCybercrime strategies evolve every day, but with them, the cybersecurity industry rises to the challenge. While it’s good to be prepared, the best modes of prevention are stopping attacks before they’ve started—and to do that, you need to know your systems. Our Red Team Assessment addresses realistic vulnerabilities with realistic strategies and a time-tested, proven process that includes:
- Assessment of real-world threat vectors
- Circumvent security systems and controls
- Compromise perimeter/internal systems
- Establish persistent internal connections
- Gain network user account access
- Gain elevated privilege (admin) access
- Identify key systems and databases
- Establish backdoor access to key systems
- Capture sensitive data for validation