Continuing as a formidable force, COVID-19 has brought a lot of economic activity to a halt. Cyber crime is not one of those activities. In fact, many cyber attackers are taking advantage of the natural vulnerabilities that go along with the novel coronavirus, creating relevant phishing attacks, for example, to play to people’s fears and gain access to computers and their networks. In January, Zscaler saw and blocked 1,200 coronavirus-themed phishing attacks; in March, that number was 380,000.
Ransomware—an increasingly popular way for cyber attackers to monetize all their work—should be a major concern for healthcare distributors and manufacturers in general, noted Lonnie Benavides, vice president of global cybersecurity operations and services, information security and risk management, for pharmaceutical distributor McKesson.
Since the first ransomware documented in 1989, such attacks have been exploding since 2010, Benavides says, bringing new functionality. The ransom demand showing on your screens can be translated into multiple languages. They can accommodate different forms of payment and interaction. “It’s a software market that’s really spun up,” Benavides said. “It’s incredible to see the development features that have been built into ransomware.”
Benavides was not just marveling at the success cyber attackers have had with the ransomware model for turning their businesses into major money-making operations. He was warning the healthcare distribution community that they need to be better prepared for such attacks. “The software is designed to render your system unusable,” he said. “That is the very real intent behind the developers of each ransomware family.”
With the cancellation of its Distribution Management Conference (DMC) in early March because of COVID-19 concerns, the Healthcare Distribution Alliance (HDA) pulled together several of the planned presentations into a webinar series. Benavides presented timely information on how ransomware could be the cause of your next 10-day outage. That’s how long, on average, your operations could be down if you get hit with a ransomware attack, according to industry studies, he pointed out.
Ransomware is equipped to impact as many systems as it can, designed to be multi-platform software, avoiding any sort of installation problems. Ransomware will run no matter what other programs are installed on your system; it’s designed to work on the newest systems as well as the oldest, dingiest systems. “They’ve thought about every single way to bring your operation to its knees,” Benavides said.
Some forms of ransomware are designed to spread across your network as well. “If there is a vulnerability on the system, what you’ll see is the ransomware affecting the first computer, then spreading to the next and the next,” Benavides said.
The payoff
Ransomware is typically the last step in a multistage attack. It’s how attackers achieve their economic gain after they’ve been accessing your computer systems and getting into your networks for extended periods of time, Benavides noted. “There’s a whole lot of other things that have happened in order to enable that ransomware attack,” he added.
These are business operations. “They’ve really invested and we think will continue to invest as a means for making money,” Benavides explained.
Ransomware is a full-fledged economic model. An initial access team could get access into your systems and network, selling that access off to anyone who will pay for it. Other teams could take over from there, staging the environment for a ransomware attack and in turn sell that off to somebody more willing to take on the final risk. Finally, there are teams that deploy the ransomware and attempt to receive payment. Sometimes one crew will take care of all three phases.
“These teams really don’t care who gets it,” Benavides warned, in case you thought you were too small a fish for anyone to care about attacking you. “They just want to affect as many people as possible.” Those some attacks are targeted, they are primarily economically motivated and opportunistic, he added.
An attack like this is not easy to deal with, Benavides emphasized. Even if you go ahead and pay the demanded ransom, there’s no guarantee at all that your system will then be restored to normal. Not only are these individuals not particularly trustworthy, this just isn’t the part of the ransomware technology they’ve bothered investing in. “If there’s one place they don’t spend a lot of time on it would be the restoration of your system after you’ve made the payment,” Benavides said. “It has been the case in several instances where people decide to pay the ransom and then do not gain access back to their system, whether on purpose or by accident.”
How it gets in and spreads
There are key attack vectors that you and your company need to focus on to help keep your operations safe. Benavides pointed to four categories that are the most common areas:
- Password exposures, which commonly happen through phishing emails or through lists of exposed passwords.
- Internet-facing single-factor authentication. Interfaces that only ask for a username and password without also requiring a code texted to you, for example, are some of the most targeted interfaces today, Benavides said.
- Malicious software, which can be picked up from websites.
- Internet-facing vulnerabilities, such as software you have published onto a network perimeter that hasn’t been properly patched.
If you’re getting a lot of spam or other emails that seem suspicious, if you’re allowed to set weak passwords, if you’re aware of something old on your perimeter—these are things that you want to raise with your cybersecurity team, Benavides said.
There are other aspects of your systems that you will want to pay attention to keep ransomware from spread further into your network:
- Administrative access. If you notice you’re able to install software on your computer without having special access, administrative access is not locked down, Benavides explained. If it’s not, it only takes access to one system to spread to the whole network. “If it was spreadable malware, it would capture that one password and use it to spread to everything,” he said.
- Flat internal networks have no barrier between systems that run operations and standard computers. For example, you shouldn’t be able to access your distribution environment from the same system that you access your email from. “If you are experiencing that, that’s a concern that you definitely want to raise up to your security or IT team,” Benavides said.
- Password exposures and access control issues. Storing passwords to spreadsheet for easy maintenance makes those passwords easy prey to ransomware with built-in searches that go through every single file on a computer to look for just such a file. Instead, use a commercial-grade password manager as well as separate administrative passwords on each computer.
- Internal vulnerabilities. Keep up on patches. If you only patch things on the outside of the network because you think your perimeter is protecting you, “you could easily find yourself in a very vulnerable spot,” Benavides said.
As painful as a ransomware attack might be, if you’re hit with one, it’s not the primary security issue you have, Benavides said. “If you have any instances of ransomware in your environment, it means you have an exposure further up your line,” he said. “You need to close that up so that attacker doesn’t come back and do it again.”
If you think it was bad having to inform your customers that your network was attacked—just wait until you have to tell them it was attacked again. They’ll be watching after the first attack to see that you’re taking the necessary steps to fix the problems. “If you have repeat attacks, they start to lose faith in your ability to handle it,” Benavides said.
Proactive prevention comes from several different angles. Advanced email and endpoint protection, for example, uses modern data analytics to detect bad actions. But effective phishing awareness training is really important as well, Benavides stressed. He recommends not only testing your team to make sure they’re not clicking on things they shouldn’t be clicking on, but also having some form of consequence for those that continually fail that training. Effective two-factor authentication is important, as is Internet-facing hygiene, ensuring all applications are patched and putting them behind a firewall where possible.
