UK’s Healthcare Ransomware Attack Could Affect US: What You Need to Know

Editor’s Note: Updates are at the bottom as the story unfolds.  As the news spread of the WannaCrypt ransomware attack across Europe, the UK health system was brought to a near standstill when healthcare staff could no longer access patient records.  Suddenly, dosage for medications, prior history, and other significant health events were locked away — hospitals were turning away patients and guessing at treatment plans, the worst possible scenario in a modern healthcare system. We’ve also seen the hack called WannaCry and Wanna Decriptor. Overall, the attack hit 100 countries, the ransomware was delivered via email.  The software used a hacking tool known as “Eternal Blue,” originally developed by the NSA to exploit a vulnerability in Microsoft Windows Servers.  Microsoft has released a patch. If you’re in the U.S. and think you’re OK for now, you are wrong.  This morning Homeland Security and the Health and Human Services Department both issued warnings that healthcare system should immediately address any vulnerabilities in their system.  To be specific, Homeland wrote:

Ransomware spreads easily when it encounters unpatched or outdated software. The WannaCry ransomware may be exploiting a vulnerability in Server Message Block 1.0 (SMBv1). For information on how to mitigate this vulnerability, review the US-CERT article on Microsoft SMBv1 Vulnerability and the Microsoft Security Bulletin MS17-010. Users and administrators are encouraged to review the US-CERT Alert TA16-091A to learn how to best protect against ransomware. Please report any ransomware incidents to the Internet Crime Complaint Center (IC3).

What are the priorities for Ransomware?

We suggest the following steps to ensure your system is secure:

1. Make sure your system is up-to-date with any patches needed
2. Back up your system regularly to ensure you can restore data in case of an attack.  If you can preserve your data then the bad guys don’t have any leverage.
3. Send reminders to your staff to “NOT CLICK THE LINK” allowing an easy in to your system. You might even want to do a simulated phishing scam to identify staff who need further training.
4. Frequently, a ransomware virus is in your system for weeks or months before it is triggered, do a thorough scan of your system to ensure you are clean
5. Review your RDP protocols and tighten if you can (see below for a specific warning from HHS)
6. Have a crisis plan in place, including an off-system communication channel to ensure you can coordinate with the recovery team without the bad guys watching your every move
7. Your crisis plan should include contacting your local FBI Cycbersecurity Field Office so they can help during the recovery phase of the attack.  The FBI will have additional resources to catch the hackers as well as restore your systems.

RDP Ransomware Attacks

HHS also specifically warned about RDP Ransomware attacks, using remote desktop access to points to get into a system.  Below are their specifics for protection:

Recently, attackers have been scanning the Internet for Remote Desktop Protocol (RDP) servers open to the Internet.  Once connected, an attacker can try to guess passwords for users on the system, or look for backdoors giving them access.  Once in, it is just like they are logged onto the system from a monitor and keyboard.  To help protect yourself, be aware of the following: If you do not need RDP, disable the service on the computer.  There are several ways of doing this based on which version of Microsoft Windows you are using. If RDP is needed, only allow network access where needed.  Block other network connections using Access Control Lists or firewalls, and especially from any address on the Internet.

Communication During a Ransomware Attack

When the hackers are in your system, you have to avoid communications within your system to coordinate the recovery. You could literally be telling the bad guys what you’re doing next so they can thwart system restoration.  Many of our clients use our triple-encrypted military grade system for communications during recovery.  Our system is reliable and off-network so you can have private conversations.  To give you an example, when the sophisticated cyberattack group in North Korea hacked into Sony, they were not able to eavesdrop into the conversations of the recovery team which helped bring their networks up more quickly. The other assist Everbridge can give is IT alerting when your system is compromised. Early detection can mean mitigating the attack and keeping the worst damage from happening.  We take our jobs seriously, if we can help you in anyway, please call our customer support line or reach out to your account manager.  We pride ourselves on helping keep patients safe and hospitals running.

Updates

• May 14th: Europol is now saying the attack hit over 150 countries and over 100,000 different organizations
• May 14th: How a researcher and a security engineer inadvertently stopped the attack (for now)
• May 15th: The Kill switch has been removed, virus active again after hackers update the code
• May 15th:  U.S. healthcare institutions still face an increased threat of ransomware attack via HealthcareITNews

Additional Resources

You can stay on top of news and information of this attack here:

• www.us-cert.gov
• hsin.dhs.gov (NCCIC portal for those who have access. We are not posting anything to the HPH portal at this time)
• Indicators associated with WannaCry Ransomware
• White Paper:  Streamlining the Major Incident Resolution Process:  Design, Plan, Staff, and Communicate 
• White Paper:  Protecting Your Hospital from Ransomware
• Ransomware for Healthcare Infographic