The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Department of Health and Human Services (HHS) have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.
With hospitals seeing an increase in hospitalizations from the Flu or COVID-19 pandemic Malicious Cyber actors see this as an opportunity to target the Health and Human Services sector because any disruption to Hospital Systems would potentially lead to a quick payday for Cyber Criminals.
The Cyber Criminals have development teams that continue to develop new functionality and tools into malware droppers like Trickbot and BazarLoader. Many of these Cyber Criminals have teams that monitor updates from antivirus providers so they know when their variant of malware has been detected and know when it it time to change their code or techniques. This is a very coordinated effort by Cyber Criminals so they can circumvent an organizations Cyber Security Defense Systems.
The current Trickbot and BazarLoader variant droppers appear to be leveraging email phishing campaigns that contain links to external sites hosting malware or attachments loaded with the new variants of specially crafted malware. The Malware will start the infection chain by deploying and executing code that will provide Cyber Criminals a backdoor entry point into the environment.
Once the backdoor is open, Cyber Criminals can issue Command and Control scripts that will conduct resonance work in order to quickly spread the malware throughout the environment. After successfully spreading the malware Cyber Criminals will issue commands to launch the final attack and crypto lock the machines infected.
Once the Crptolock command is given the infected machines will Encrypt themselves and then display a screen notifying the user that their system has been encrypted. In order to decrypt your files, you will have to pay ransom in the form of Bitcoin. Some organizations choose to negotiate with the Cyber Criminals to decrypt their systems while others attempted to restore from backup or rebuild. In either case the business suffers and outage and if large enough will make the local and national 5 O’clock News.
The good news is there are a few things an organization can do to protect their environment and reduce the risk of becoming a victim of a Cryptoware attack. Below are some recommendations.
- Make sure you have some type of central logging system such as a SIEM to monitor your network.
- Ensure you are getting alerts. More importantly make sure you are getting alerts that are actionable. Tuning your alerts is the key to ensuring you are not sending so many false alerts that you desensitize yourself to alerts and miss the ones that would have alerted you to an attack.
- Pen test your internal and external network. By pen testing you will get a baseline of your environment’s Cyber Security health and identify areas that need immediate attention. A bonus to pen testing is you can also test your SIEM to ensure your alerts are setup properly.
- Install some type of Application Whitelisting software on your endpoint machines. Today having an antivirus or malware solution is not enough. Using Antivirus or malware software is more of a reactive solution. Application White Listing is a Pro Active solution as you will only allow known good software to run on your machine. Everything else will be denied the ability to execute by default.
- Make sure your OS’s are updated and patched regularly
- Regularly back up data, air gap, and password protect backup copies offline.
If you or your organization need help deploying some type of Endpoint Protection, Email Filtering Service, or building your Cyber Security Program, please reach out and I will be glad to setup a call to discuss your needs and challenges. [email protected] or 863-734-8060