Hospital's Ransomware Attack Highlights Importance of Strong Endpoint Protection

Ransomware starts the same as any other malware attack, but it's much less effective against organizations that back up their data.

by / February 19, 2016
This message is displayed when users are infected with the Cryptolocker ransomware. If the user doesn't pay the ransom, his or her files are gone. Flickr/Christiaan Colen

In Southern California, Hollywood Presbyterian Medical Center paid a ransom of 40 bitcoin — nearly $17,000 — to regain access to its electronic medical records system, the hospital announced Feb. 17. For cybersecurity experts, the news highlights the importance of strong endpoint protection and demonstrates a growing trend in the word of cybersecurity.

The center was without access to its information for 10 days following initial detection on Feb. 5, when hospital employees reported lack of access the network. The source of the malware’s entry is yet undetermined, but Ars Technica reported that the leading suspect is an email phishing attack. During the time the hospital lost access, hospital staff reverted to paperwork and fax machines to process patients, and some emergency patients were diverted to other hospitals. The hospital maintains that no personal information was stolen from the network.

“There’s two things it says about a company that gets breached and has to make a payment,” said Gartner Research Director Lawrence Pingree. “One, they don’t have a good backup and recovery strategy. Two, they got breached by ransomware and they don’t have adequate protection on the endpoint for defeating and thwarting ransomware. And there are technologies out there now that are capable of doing that in some of the endpoint protection products now, like Malwarebytes and Trend Micro.”

A recent survey by Cloud Security Alliance revealed that those distributing ransomware have a captive audience. Of 209 technology professionals surveyed, nearly a quarter said they would be willing to pay a ransom to prevent a cyberattack, and 14 percent said they would pay a ransom of more than $1 million to stop hackers from releasing sensitive information.

“I think we’re going to see increasing numbers of these types of attacks over 2016,” Pingree said, echoing similar warning by the FBI in 2015. “It used to be more effective to go after ransoming end users, and now I think attackers are wise that organizations large and small will pay if they don’t have the proper controls in place.”

How Governments Can Protect Themselves

Ransomware starts the same as any other malware attack, said John Pescatore, director of emerging security trends at the SANS Institute.

“First the bad guys have to penetrate your system, so you do have to worry about it because it’s definitely happening,” Pescatore said. “The best way to try to prevent it is do all the things we tell people to do to prevent malware from getting in: Limit peoples’ privileges, patch systems, train people about phishing and so on.”

The difference with ransomware, however, is that it's much less effective against organizations that back up their data.

“If someone says, ‘Hey, we have your database, you can say, ‘Ha-ha, I just backed it up last night. I can keep doing business,’” Pescatore said. “In a ransomware attack, they’re exposing the fact that a lot of especially mid-sized companies don’t do backups very regularly.”

The choice of whether to pay the ransom is simply a business decision, Pescatore said, but once an organization has been exposed, patching those vulnerabilities is critical because the “bad guys” will surely sell the information about the vulnerabilities to others, increasing the likelihood of future attacks.

The thing that sets ransomware apart from other types of malware attacks is the urgency, said David O’Berry, worldwide technical strategist with Intel Security.

“There’s no time once ransomware hits,” he said. “It can just happen so quickly, whereas [in other types of attacks] there may be more time to handle the situation. Once it happens, there’s hardly a way back from it. The only real way back is a very solid backup schedule, very solid network operations and data center operations aspect, and even then it gets very, very hairy. So the only way to get in front of this is to eradicate it on the front line in as close to real time as possible.”

A spokesperson for the Center for Internet Security (CIS) said that because of their group’s involvement with certain organizations on cyberattack responses, they could not comment on this issue, but urged organizations to look at the CIS primer on ransomware as a starting point to keep themselves protected.

An FBI spokesperson said they couldn’t comment except to say that the service is investigating the incident.

Colin Wood former staff writer

Colin wrote for Government Technology from 2010 through most of 2016.