Beware: Ransomware!

Hackers demanded US$3.6 million to unlock the hospital’s files

In February 2016, a staff member at the Hollywood Presbyterian Medical Centre (HPMC) in Los Angeles opened an invoice in an emailed Word document and accidentally activated Locky, a nasty piece of ransomware that spread rapidly across the hospital’s systems, encrypting files as it went. Within hours, doctor’s were unable to access patients’ records or share x-rays, scans or medical test results. Admin staff had to resort to pen and paper to do admissions. According to some reports, the hackers initially demanded US$3.6 million to unlock the hospital’s files. In the end, HPMC paid US$17,000 in untraceable bitcoins, and ten days after that fateful click their systems were back on line.

A decade ago, computer viruses were system-crashing, file-deleting monsters that threatened to trash your PC. They don’t get much press these days, but they’re still around, working quietly in the background, encrypting files, stealing signons, or linking to botnets to send out spam and further propagate themselves. Within a fortnight of the HPMC attack, Symantec had deleted more the five million emails containing Locky, and at its peak it was reckoned to be infecting five thousand machines an hour in Germany alone.

Once defence forces mustered, the attacks declined, then resurfaced briefly in August and November as new vectors were discovered: JavaScript attachments on bogus emails and code hidden in downloadable image files on Facebook and LinkedIn.

Viruses hidden in Word macros are one of the oldest tricks in the book, dating all the way back to the notorious “I Love You” virus that infected one-tenth of all internet-connected computers in the year 2000. But there are plenty of other ways you can be caught out.


A special note about Windows XP
I’ll say this as quietly as I can: Aaaarrgghh!

If you still have a machine running Windows XP, disconnect it from the internet immediately and make plans to replace it, today! Support for XP ran out in April 2014 (extended from its original planned phase-out in 2009) and the operating system is remotely exploitable via numerous security holes discovered in the last three years, none of which have been patched. Despite this, a mid-2016 survey found that around 7% of all desktops were still running XP.


Phishing, like its sporty-sounding equivalent, involves throwing out a baited line in the hope that an unwary victim will snap at it. The lure in this case is an email, typically from your bank, warning of a security problem and asking you to click a link to confirm your details. That link will take you to a perfect copy of your bank’s web site where you attempt to sign in – and fail. (It is a fake site, after all.) You’ll be prompted to try again, and this time be redirected to the bank’s genuine site where your second attempt will succeed. Most people will blame the initial failure on a typing error, not realising they’ve just given away their login details to hackers.

There are three main types of phishing. Spear phishing uses personal information to improve an email’s apparent legitimacy. (Social media’s a great source of information.) Clone phishing updates a previously sent legitimate message with new links, while whaling is targeted at businesses and senior executives, typically taking the form of a legal document or a customer complaint.

They’re all after one of two things…

All phishing is a numbers game. Send out a million emails, and even if only 0.01% of people click your link, you’ve got a hundred hits. It also takes a huge variety of forms. You may have won a lottery you never entered, inherited money from a relative you didn’t know you had, be offered an incredible investment opportunity or asked to help “liberate” funds from a third-world country in exchange for a percentage. It may be an invoice, a tax refund, or – in a local variant of Locky that surfaced here last September – a message from CourierPost about re-delivering a package. There are scams involving tech support, employment offers, visas to work in other countries, cheap holidays or tickets to major events. They’re all after one of two things: money up front and/or personal information such as bank account and credit card details or usernames and passwords.

Sometimes it’s hard to see where the catch is. Clever scammers may string you along for weeks or even months, establishing trust before asking for assistance in the form of a bank transfer. Online dating scams work this way. Suddenly your new friend is robbed, or stuck in a foreign country. Please help!

How to protect yourself

If the possibilities seem daunting, prevention is a matter of caution and common sense.

  • If the concept of computer security leaves you cold (or even just lukewarm) get professional advice! Threats change on a daily basis – sometimes hourly – and every site uses different hardware and has a different risk profile. You may need a firewall, better antivirus software, or that old router may require an update. Security isn’t something you set and forget. It’s more like a pet: it needs regular attention.

  • Treat any and every email with suspicion – especially if it contains attachments or convenient links to fix a problem you didn’t know you had. One quick way to check a link is to hold your cursor over it and look at the address that pops up. A second way is to look for the green padlock in your browser. All banks and financial institutions use certificates that verify they are who they claim to be. Hackers don’t. A trusted connection will look like this;

  • Keep your software up to date. Windows is way more secure than it used to be (even without antivirus software) and OS X remains streets ahead. And don’t forget third-party browsers. Firefox and Chrome blacklist hazardous add-ons and warn users of the latest suspect sites and potential phishing attacks, but can only can only do so if they’re up to date.

  • Do backups. Regularly. You don’t need to backup the whole machine, only the stuff you can’t buy, like personal documents and photos. And it needn’t be an onerous process. Once set up, even a huge backup will usually only take a few seconds because the software will only backup the files that have changed.

  • Keep an off-site backup. If your house burns down, that backup in the top drawer of your desk will probably go with it. Off-site could be a shed at the bottom of the garden, your desk at work or “in the cloud” via Dropbox, Google Drive or OneDrive.


What to do if you’re hit by ransomware
If you receive a message saying your files have been encrypted and that you can only recover them by paying a fee – typically US$200-400 – switch off immediately and call your IT support person. Encrypting files takes a while so you may have only lost a handful. And anyway, you’ve got backups, right?

A new, even more cunning variation is simply a message saying that your files have been encrypted when they haven’t even been touched. Some people panic and pay up anyway.


Business Considerations

For businesses – small or large – all of the above applies to each and every one of your users, and there are some extra considerations too. By far the biggest threat comes, not from without, but from within: disgruntled employees. In over a thousand incidents documented by the Computer Emergency Response Team in the States, employees were found to have deliberately deleted data, blocked access to it, or copied, modified or disclosed it to third-parties. In one case, a former employee continued to reek havoc four months after he was dismissed because his access to the company’s systems hadn’t been revoked.

Add to this accidents, careless or uninformed staff and the Bring Your Own Device hazard – where unpatched or vulnerable personal devices like laptops, phones, tablets and USB drives may be connected to your network – and you’re probably already starting to get a headache.

Identify and manage your “privileged data”

The only reasonable way to manage all this is to have a security policy. Think of it as health and safety for your data. What can and can’t be connected to your system? Who’s the go-to person for problems or questions? What’s allowed and not allowed? (Playing games? Probably not. What about social media …?) Above all, you need to identify and manage what’s known as “privileged data” – the stuff critical to your business – and control who has access to what parts of it. Individual signons are better than global ones. If Joe in Accounts quits tomorrow, you need to be able to shut off his access right away. What’s more, individual signons can be logged, providing details of who did what and when.

Some other considerations:

  • Do backups, do backup, do backups! And keep a set off site.

  • Test your backups regularly. Are you really saving everything you’d need in the event of a disaster?

  • Restrict access to critical hardware. Keep the server room locked or put routers, servers and backup drives in a lockable cabinet.

  • Don’t forget hardware updates. Though less frequent, routers, servers and disc stations also fall foul of security bugs so it’s important to keep them up to date too.

  • Consider taking out cyber-insurance. (See below.)

The HPMC ransomware attack highlighted two key failures: the hospital had a no real security policy and they had insufficient backups. The latter alone would have mitigated the attack. Instead of being down for days and having to pay a ransom to recover their data, they could have been back up within hours. Make sure you don’t get caught out!


The insurance option
Data is critical to modern businesses, perhaps even more so than your premises or equipment, so why not consider insuring it too?

Cyber-insurance can cover you for the obvious things like business interruption, third-party liabilities, theft and the cost of restoring data after an attack, and the better policies also cover less obvious things like legal expenses, data forensic costs and even provide assistance with public relations to manage the muddle.


This article first appeared in the Autumn 2017 issue of On MAS, the magazine
for members of the Medical Assurance Society.
© Geoff Palmer 2017

Leave a Reply

Your email address will not be published. Required fields are marked *