Mining Data from Recent Ransomware Attacks


By Clyde Hewitt, Vice President of Security Strategy, CynergisTek

Ransomware attacks are on the rise with healthcare as the primary target. The healthcare sector reported 45 percent of all cross-industry attacks (1). There is a general perception among healthcare executives that an above average security posture will be enough to defend against the threat. In reality, ransomware attacks are equally successful against hospital systems with underfunded security programs as those with more mature security management teams. It is best to examine the common findings and fix the vulnerabilities now.

Limit the Attack Surfaces

In reviewing three recent ransomware events since June 2017, there are several similarities. First, in all instances, the “index” machine, or first device to be infected with the malware containing the ransomware, was used by system administrators. It is logical to assume that by reducing the number of individuals requiring administrator privileges to the minimum needed to perform the necessary operations, that the probability of a successful attack would be less. The exposure can be further reduced by requiring all administrators to have two accounts – one with administrator privileges but prohibited or blocked from accessing mail, webmail, or external Internet sites while logged into the accounts. Second, implement mandatory multi- or two-factor authentication for every login, including those inside the trusted zone. Administrators will use a nonprivileged account to access email and the internet.

Another observation in all three attacks is that Port 3389 supporting the Remote Desktop Protocol (RDP) was running on the attacked workstation. In two of the attacks, the RDP was exposed to the Internet, making it easy for the attackers. In the third instance, the RDP was exposed behind the firewall, which suggested that another machine was first compromised (possibly a non-administrator) inside the hospital’s network, then the attacker found and jumped to the administrator’s account to run the malware.

Rely on Your Tools, But Not at the Expense of Trained and Empowered Staff

In all three ransomware events, the malware with the encryption package was inserted into the network by exploiting zero-day vulnerabilities. We can assume that the antivirus and next generation firewall vendors will update their respective signatures soon after a zero-day attack is successful, but the rapid pace of new zero-day vulnerabilities is not slowing the attacks.

In all three ransomware attacks, all vulnerable machines were encrypted in under one hour. In one instance, it was reported that the ransomware encrypted over 2,000 devices less than 15 minutes after the initial infection. Therefore, it is important to have SIEM and antivirus systems, but understand they cannot fully protect them from all ransomware variants or delivery methods. It is also critical to have a well-documented incident response process that grants appropriate technicians authority to immediately contain the spread. Executives must learn to trust their third shift’s IT technician with the authority to unilaterally shut down the health system’s entire network if the situation requires it. This trust comes through clear procedures, extensive training, realistic exercises and a high level of support from senior management.

Strengthen Business Continuity Management and Disaster Recovery

Even with tools and training, ransomware can still strike. Therefore, business continuity management (BCM) and disaster recovery (DR) functions should receive more focus from executive-level oversight to ensure that healthcare can be provided without the EHR, biomedical equipment, laboratory, or even facility control systems. In addition, hospitals still need many non-clinical processes, including supply chain management, human resources (such as time keeping and payroll processing), vendor management and patient financials systems to track treatment and generate claims. In two of the hospital systems impacted by ransomware, they experienced cash shortages in excess of $50 million following the attack as claim payments dried up – an operational impact not anticipated prior to the attack.

For months after the attack, providers manually entered treatment records into the EHR in order to generate claims. This labor-intensive process required extensive unplanned staff hours, including overtime and other lost opportunities. The net effect is that the providers can expect a net loss of several million dollars after all claims are filed when the additional labor cost is accounted for.

Incident Response

Providers need to perform a root cause analysis (RCA) and correct all deficiencies following an attack so that the ransomware doesn’t strike again. An RCA should be exhaustive and not stop by identifying a single technology or process failure. In order to truly change the security posture, RCAs should identify management and process weaknesses. This should be done quickly as one non-healthcare organization did not identify and correct their vulnerabilities fast enough and became the victim of a second ransomware attack before they had remediated the impact of the first attack.

It is better to be twice learned rather than to be once burned.



  1. Beazley, 2018 Breach Briefing

More AEHIS News

What Do Dues Do? – By Erik Decker

THIS, THAT and the Other Thing – By Zach Donisch

WannaCry and NotPetya – The CHIME and AEHIS Response – By Zach Donisch