Good day to all Global Team Members.

As part of this month’s Continuing Privacy and Security Training (“CPST”) and National Cybersecurity Awareness Month (“Cybersecurity Awareness Month”) the Compliance Team is reminding everyone of the frequency and danger of Ransomware and the techniques cybercriminals use to infect hardware (i.e., phishing attacks, email attachments, infected code).

 What is a Ransomware Attack?

Ransomware is a type of malware attack in which the attacker locks and encrypts the victim’s data, important files and then demands a payment to unlock and decrypt the data. This type of attack takes advantage of human, system, network, and software vulnerabilities to infect the victim’s device—which can be a desktop or laptop computer, printer, tablet, smartphone, wearable smartwatch, USB, or other data endpoint.

How Does Ransomware Work?

After a device is exposed to the malicious code, the ransomware attack proceeds as follows. Ransomware can remain dormant on a device until the device is at its most vulnerable, and only then execute an attack.

  1. Infection—Ransomware is covertly downloaded and installed on the device.
  2. Execution—Ransomware scans and maps locations for targeted file types, including locally stored files, and mapped and unmapped network-accessible systems. Some ransomware attacks also delete or encrypt any backup files and folders.
  1. Encryption—Ransomware performs a key exchange with the Command and Control Server, using the encryption key to scramble all files discovered during the Execution step. It also locks access to the data.
  1. User Notification—Ransomware adds instruction files detailing the pay-for-decryption process, then uses those files to display a ransom note to the user.
  1. Clean up—Ransomware usually terminates and deletes itself, leaving only the payment instruction files.
  1. Payment—Victim clicks a link in the payment instructions, which takes the victim to a web page with additional information on how to make the required ransom payment. Hidden code and other services are often used to hide these communications to avoid detection by network traffic monitoring.
  1. Decryption—After the victim pays the ransom, usually via the attacker’s Bitcoin address, the victim may receive the decryption key. However, there is no guarantee the decryption key will be delivered as promised.

Ransomware Distribution Techniques.

The device is infected when the victim clicks a link, visits a web page, or installs a file, application, or program that includes malicious code designed to covertly download and install the ransomware. This can happen in a variety of ways:

Distribution Techniques Description
Phishing email Clicking a link embedded in an email, which redirects to a malicious web page.
Email attachments Opening an email attachment and enabling malicious macros; or downloading a document embedded with a Remote Access Trojan (RAT); or downloading a ZIP file containing a malicious JavaScript or Windows Script Host (WSH) file.
Malvertising Clicking a legitimate advertising site seeded with malicious code.
Infected programs Installing an application or program containing malicious code.
Self-propagation Spreading the malicious code to other devices through network and USB drives.

 

Ransomware Protection for your Computer

Here are several best practices that can help us prevent and protect against Ransomware infections:

Endpoint Protection

Antivirus is an obvious first step in ransomware protection, but legacy antivirus tools can only protect against some ransomware variants.

Data Backup

eHealth Technologies regularly performs a data backup using versioning control and redundant locations of the backup data.

Patch Management

eHealth Technologies maintains all device operating system and installed applications up-to-date, and installs security patches. We also run vulnerability scans to identify known vulnerabilities and remediate them quickly.

Email Protection

eHealth Technologies trains its team members to recognize social engineering emails and phishing attacks. We use spam protection and endpoint protection technology to automatically block suspicious emails, and block malicious links. However, we need your help at the first instance to not end up clicking on them.

Ransomware Attack Examples

Below we list a few malware examples that made a global impact and caused widespread damage.

  1. WannaCry

WannaCry is an encrypting ransomware that exploits a vulnerability in the Windows SMB protocol, and has a self-propagation mechanism that lets it infect other machines. WannaCry is packaged as a dropper, a self-contained program that extracts the encryption/decryption application, files containing encryption keys, and the Tor communication program. It is not obfuscated and relatively easy to detect and remove. In 2017 WannaCry spread rapidly across 150 countries, affecting 230,000 computers and causing an estimated $4 billion in damages.

  1. Crypto locker

Crypto locker was released in 2017, and affected over 500,000 computers. It typically infects computers through email, file sharing sites, and unprotected downloads. It not only encrypts files on the local machine, but can also scan mapped network drives, and encrypt files it has permission to write to. New variants of Crypolocker are able to elude legacy antivirus software and firewalls.

  1. Cerber

Cerber is ransomware-as-a-service (RaaS), and is available for use by cybercriminals, who carry out attacks and spread their loot with the malware developer. Cerber runs silently while it is encrypting files, and may try to prevent antivirus and Windows security features from running, to prevent users from restoring the system. When it successfully encrypts files on the machine, it displays a ransom note on the desktop wallpaper.

  1. Locky

Locky is able to encrypt 160 file types, primarily files used by designers, engineers and testers. It was first released in 2016. It is primarily distributed by exploit kits or phishing—attackers send emails that encourage the user to open a Microsoft Office Word or Excel file with malicious macros, or a ZIP file that installs the malware upon extraction.

Ransomware Awareness

If you detect a Ransomware infection notify your manager or any member of the eHealth Technologies Compliance Team immediately to isolate, investigate, evaluate and mitigate the ransomware threat.

eHealth Technologies’ Privacy and Security Compliance Team delivers monthly training – everyone should know – Think Before You Click!  As always, please let us know if you have any questions on the privacy and security of Covered Information, including PHI, ePHI, and other Confidential Information.

 

Thank you for Caring Together…

eHealth Technologies’ Compliance Team