By James Maude, Avecto

A high-profile ransomware attack crippled the Hollywood Presbyterian Medical Center's network earlier this year, an incident that eventually resulted in the hospital paying hackers $17,000 in bitcoin to regain access to their systems.

This proved to be the tip of the iceberg, with more complex ransomware attacks challenging the industry's security. While ransomware is not a new form of malware, 2016 has set the bar for these types of threats, with many hackers now targeting hospitals and local governments more actively than ever.

These attacks have not only left many institutions vulnerable, but have resulted in hackers developing creative new business models, such as ransomware-as-a-service.

Criminals are targeting health institutions of all sizes and regions, searching far and wide for the weakest links. From Medstar, a Maryland-based health network of 10 hospitals, to hospitals in California, Kentucky and Canada, the attacks were far reaching and crippling.

Hospitals are not the only institutions being affected, with attacks surfacing on towns and cities. In Lansing, Mich., for example, an attack on the local water and electric utility led to a shutdown of several internal systems.

Why Is Ransomware Growing?

The sudden influx of ransomware such a Locky or CryptoLocker can be attributed to a few key factors.

First, hackers realize that while medical and government data may not be inherently financially valuable, access to this data is worth a tremendous amount to these institutions. In the past, hackers would profit by encrypting financial information; medical records, treatment plans, and city contracts are all immensely important, if not financially valuable.

Hospitals and local governments not only rely on access to this data, but are legally responsible for its integrity and security and face drastic consequences if access is removed. This has resulted in hackers using ransomware as an entirely new way of monetizing data; profiting from the access to the information, rather than the information itself.

Due to the non-financial aspect of this data, hospitals have often flown under the radar of hacking attempts, which has led to many organizations developing less stringent and comprehensive security protocols than other industries. Hackers have realized this and are exploiting this vulnerability to great effect - which is one reason behind such a large swathe of hospitals being affected in recent months.

While most employees know not to simply download attachments from strange emails, hackers have become adept at targeting and social engineering users into clicking links and opening attachments. With widespread access to data it only takes one user to click the link or open the document for the ransomware to take hold.

Attacker are also exploiting users' personal accounts such as Gmail and Facebook as a vector for infection, as nearly all employees check their accounts on company computers or Wi-Fi networks. Compromising mainstream websites and infecting them with malvertising is another vector to attack employees in hospitals, making security much more difficult to monitor.

Rise of Ransomware-as-a-Service

These factors have created a highly lucrative malware market and a new breed of malware: ransomware-as-a-service. Professional hackers are creating undetectable and complex malware, which are being distributed on a commission basis to other hackers around the world. This division of labor has enabled people to focus on creating incredibly complex and sophisticated malware that can bypass many forms of security, while drastically increasing global distribution.

The distributors using these ransomware platforms often specialize in social engineering and manipulating an audience. These criminals exploit human error or naiveté in order to infect vulnerable institutions - often based on extensive research from the target environment. For example, a nursing intern may receive a Facebook request from their supervisor, who then sends them a link to a website for suggested research. However, the ransomware distributor has instead used LinkedIn to find two staff members in the same team, and created a fake Facebook account in order to share an infected link.

Ransomware is especially nefarious as once infected, the only way to decrypt is to either pay the ransom or restore a recent backup. Most security vendors are unable to proactively defend against these strains, and instead advocate security education for employees or regular backups – an ineffective and risky method of security management.

3 Ways to Fight Ransomware

While many institutions rely on detection-based software, education and backups, the most effective way to defend against ransomware is to remove any possible attack vector. While many organizations see this as a daunting and nearly impossible task, there are three simple steps that any IT admin can implement in order to ensure maximum protection:

  • The removal of administrator privileges is the first, and one of the most easily implemented ways to block any sort of malware from accessing data. Malware often exploits admin rights to embed in the system or disable security controls – something that is impossible without administrator rights. This simple step is so effective, that our research shows that 85 percent of all critical Microsoft vulnerabilities can be completely mitigated by simply removing administrator privileges.
  • While many forms of network detection rely on blacklisting harmful applications, this can leave a system completely vulnerable to undiscovered or zero-day attacks. Instead, organizations should implement a whitelisting approach – automatically blocking or disabling any new installations or modifications of existing software, unless pre-approved. This strips the ability for ransomware and other malware to introduce malicious applications to the system.
  • Lastly, organizations should implement endpoint sandboxing (isolation) any time an employee accesses unknown or untrusted content, such as internet browsing and downloading email attachments. By isolating all of these interactions away from sensitive data, even if ransomware is able to bypass the first steps, it will be completely unable to access or encrypt any data outside of the self-contained session of that sandbox.

By removing potential attack vectors proactively without rely on detection, hackers can effectively throw as many new ransomware attacks against Avecto’s product suite as they like and won’t actually have any real attack vector to access data. Adopting a proactive defense in-depth strategy offers robust security that allows organizations to stay ahead of attacks.

As ransomware-as-a-service becomes more mainstream and detection becomes increasingly difficult, we can expect increasing sophistication and complexity in attacks. Removing any opportunity for ransomware to enter the network is the only proactive and true way to keep organizations safe.

James Maude is a senior security engineer at endpoint protection company Avecto.