Bad case of loving you
A new ransomware variant dubbed “Defray” is making its way around the healthcare and education industries. Unlike other ransomware we’ve seen hitting vulnerable systems across the globe, Defray appears to be limited in scope, targeted at industries specifically known for not being at the forefront of information security ingenuity. As a security practitioner, it’s easy to wag a finger and say, “If you had only…” to affected entities, but when it comes to healthcare and education organizations in particular, added challenges come into play compared to, say, technology or financial services companies (not that those industries don’t see their fair share of cyber incidents).
Looking categorically at healthcare, legacy systems are rampant. Because the bulk of attention in healthcare is allocated towards patient care, doctors’ offices and hospitals are less likely to be on the “cutting edge” of new technology adoption when it comes to system infrastructure. The ability for these organizations to rip and replace, upgrade, or even apply patches, can be significantly more challenging than in other industries (where it can be tricky enough). An outage or system downtime can literally mean loss of life (which is one argument in favor of updating and upgrading, but again, it’s not as easy as some security pros would make it seem). As a result, IT and security departments at these organizations are struggling to simply maintain and manage antiquated mainframes and data centers.
On top of the outdated systems themselves, large amounts of data are required to treat any one patient, meaning that data inaccessibility can lead to catastrophe for the patient, attending healthcare providers, and the organizations that employ them. Threat actors are keenly aware of this quagmire.
With all the newfangled technology available for patient care—remote monitoring, internet-connected pacemakers and insulin pumps, patient access portals, data analytics applications that allow for better and more accurate diagnoses, etc.—and the well-known security issues accompanying healthcare IoT, a lot of white hat security practitioner and researcher attention is focused there. Cyber criminals, though, don’t need to hack IoT. With the obvious challenges of managing legacy systems, needing 24x7x365 access to (accurate) healthcare records, and the urgency that routinely accompanies patient care, all adversaries need to do to make a few bucks is focus on the disconnect between their own goals and practitioner/research attention and longstanding chinks in the armor.
One of those chinks is lack of dedicated security staff. The global security staffing shortage is infamous, and healthcare especially feels the deficiency.
Most security organizations are stretched thin, but in an industry like healthcare where multiple technical challenges are layered, scant time is left to practice the human side of security. This is painfully obvious in the areas of training and awareness—the primary methods of combatting phishing (i.e., the initiation point for most ransomware).
Security awareness and training is a challenge in healthcare in its own right, regardless of amalgamated staffing shortages; doctors, nurses, aids, techs, administrators, and staff are highly distributed, may work non-standard hours, are often in a rush, and are focused on data access that allows for patient care. The primary concern is not whether an email that appears to be legit is actually legit.
With Defray, the weapon of choice is an emailed Microsoft Word document with an enticing and apropos title like “patient_report.doc” or “presentation.doc.” The Doc contains an embedded executable which, if clicked, drops the malware onto the victim’s machine, rendering all files inaccessible. So far it looks like a pretty common ransomware event. What makes this campaign different from other ransomware we’ve seen recently is that it appears to have been distributed to surprisingly small numbers of recipients, and with customized messages for individuals working in that industry. This is no Locky or WannaCry (both of which had their way aplenty within the healthcare sector, but also picked up numerous other industry victims along the storm path).
Based on healthcare’s plentiful IT and security challenges, it’s no great surprise that enterprising criminals have decided to pick on healthcare organizations. Healthcare has proven to be an easy target. Even with well-advertised incidents souring their milk, these organizations are not making colossal strides (perhaps for reasons stated above) towards improved data or system security.
It’s yet to be determined how successful Defray will be in the wild. Though the ramsom note goes so far as to warn victims that “This is custom developed ransomware, decryptor won’t be made by an antivirus company” (and then goes on to brag about how awesome its encryption is, as if a healthcare worker would care), we haven’t seen any reports of organizations paying the $5,000 ransom. It’s likely, though, that attackers will snag a few victims, and these small “wins” will propel future attacks against these predisposed types of organizations.