In many respects, ransomware is an ideal cybercrime business model. It has low start-up costs and high rewards that come with relatively low risk because prosecutions are rare. It should come as no surprise then that the rate of ransomware attacks has doubled year over year.
And for threat actors, it’s paying off. Ransomware is big business; Homeland Security Secretary Alejandro Mayorkas estimates that victims collectively paid more than $350 million in ransoms in 2020. Ransomware gangs make money by disrupting critical business operations and stealing—and threatening to release—valuable data (especially proprietary information, records that may trigger regulatory penalties and private/sensitive data that may be embarrassing to executives, like personal correspondence, contracts and compensation).
Healthcare is a big target
Several sectors tick all the “ripe for ransomware” boxes, including legal services, financial institutions, utilities and healthcare providers. Research from Check Point indicates that healthcare organizations have come under intense targeting since April 2021.
We don’t need to look far for examples. A recent Wall Street Journal article about the notorious Ryuk ransomware gang noted that, “Multiple attacks were carried out in recent months against U.S. hospitals, suspending some surgeries, delaying medical care and costing hospitals millions of dollars,” and in June, CPO Magazine explained that, “The Conti ransomware group targeted at least 16 U.S. healthcare and first-responder networks.”
If Conti sounds familiar, that’s because it’s the same gang responsible for the “catastrophic” disruption of the Irish healthcare system in May. CPO Magazine also noted that, “Recent victims of ransomware attacks in the United States include the Scripps healthcare system in San Diego. Universal Healthcare Services, a Fortune 500 company with over 400 branches also confirmed a ransomware attack executed by a different threat actor on October 3, 2020.”
Importantly, the damage isn’t restricted to ransoms. First and foremost, lives are quite literally at stake when healthcare providers are attacked. And, operational disruptions are costly (the University of Vermont Health Network suffered damages of about $1.5 million per day due to expenses and lost revenues), and reputational damage can be devastating—something that cyber insurance can’t remedy.
Ransomware attacks leverage the trust that exists inside perimeters
The modern approach for executing a ransomware attack begins with gaining initial access to a network/environment. Some operators gain access on their own, while others prefer to purchase access from a cybercrime marketplace (“initial access brokers” specialize in providing this service).
From there, the ransomware operator moves around the environment laterally to perform domain reconnaissance (e.g., map the network, find critical resources, etc.).
Next, the attacker quietly exfiltrates as much sensitive data as possible (700 GB in the Irish healthcare incident) before “detonating” the encryption processes at a time carefully chosen to maximize the value of the ransom. For example, for public companies, the detonation may occur in the pressure-packed time leading up to the release of quarterly results. In many cases, the ransomware is activated when the target is particularly vulnerable (in the Scripps attack, the operators detonated the payload early in the morning on a weekend, a common cybercrime tactic).
Even if an organization can use backups to recover operations, the double-extortion tactic of stealing sensitive information is still a powerful motivator for ransom payment. This pressure is especially high in healthcare. Ponemon’s 2020 Cost of a Data Breach Report reports that healthcare is the “most expensive industry,” with an average cost of $7.13 million per breach.
How are attackers able to move about the internal network? They leverage trust that is implicit within a perimeter. Once a user is inside a flat network, they’re granted access to more resources than needed to do their job. For ransomware operators, this access serves as a red carpet, welcoming them into the environment.
Legacy software and unprotected systems—both of which are common within healthcare—present even fewer barriers to lateral movement, allowing attackers to move about very quickly and effectively once a perimeter’s been breached.
And make no mistake; a motivated attacker will get into your network. No technology is perfect (Google’s Project Zero shows that 2021 is on track to shatter the previous high for zero-day exploits) and any system that involves humans is fallible. (A 2020 study determined that 88% of data breach incidents are caused by employees’ mistakes.)
To limit ransomware damage, take away trust
Once you recognize that perimeter defenses are designed for yesterday’s cyberthreats and IT environments, a logical conclusion is that perimeter-centric security built on implicit trust is a liability.
That’s why Zero Trust adoption has exploded. In fact, the White House recently issued an executive order requiring federal agencies to adopt a Zero Trust architecture. Then, following the headline-grabbing attacks against Colonial Pipeline and JBS, the White House sounded the alarm on ransomware specifically. One of the five recommendations made in the rare open letter was “network segmentation” to prevent an infected system from being used to compromise others in the same network and to isolate access to systems by employees and others.
By adopting this Zero Trust approach, healthcare organizations can reduce the scale of compromise, thereby speeding up recovery.
Protecting your network from ransomware attacks
Our industry-leading Zero Trust Network Access (ZTNA) solution, Appgate SDP was built to secure network access by anyone to anything from anywhere. It applies granular access controls based on identity that connect users to authorized functionality rather than the network.
While not designed to protect against an initial ransomware infection on its own, ZTNA can significantly reduce the impact and spread of ransomware through device ringfencing, granular access control and assisting with device isolation when infections are detected. To learn more about these capabilities, please see Stop Ransomware in its Tracks with Zero Trust Network Access.