Last Week in Ransomware: 06.03.2024

Last week in ransomware news we saw Ascension hospitals in “chaos” following a ransomware attack, CISA alerted orgs of vulnerabilities but only half took action, and ransomware victims surged in 2023...

Orgs Fail to Address Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) alerted nearly 2,000 organizations about vulnerabilities that could be exploited in ransomware attacks, but only about half took action.  

According to CISA, 852 out of 1,754 notified organizations either patched the vulnerabilities, implemented compensating controls, or took vulnerable devices offline. Despite this progress, CISA acknowledges that there is still significant room for improvement.

Ransomware operators are increasingly automating the exploitation of known vulnerabilities, leading to a surge in attacks. This automation allows them to compromise thousands of servers quickly by exploiting unpatched vulnerabilities and misconfigurations.  

For example, the Cl0p ransomware gang exploited vulnerabilities in the GoAnywhere and MoveIT software to infiltrate networks and exfiltrate sensitive data for extortion.

Automation in ransomware attacks enables threat actors to compromise more targets faster, making timely patching of vulnerabilities crucial for all organizations.  

Despite the challenges, such as the complexity of patching and the potential for disrupting critical business systems, organizations must prioritize understanding and addressing their vulnerabilities to prevent exploitation.  

The main reasons for failing to patch are either neglect or inability to do so due to complex system dependencies. Addressing these issues, especially among those who could patch but didn't, is essential to mitigating the growing ransomware threat.

Ultimately, organizations need robust processes to detect vulnerabilities and ensure timely patching to avoid being easy targets for automated ransomware attacks.

READ MORE HERE

Ransomware Victims Surged in 2023

In 2023, the number of ransomware attack victims surged by 71% compared to 2022, fueled by a 30% rise in the number of identified ransomware operators. The new research highlighted that ransomware was the primary threat, accounting for 33.3% of all incidents across various sectors.  

A notable trend was the increase in attacks via contractors and service providers, including IT services, which became one of the top three attack vectors for the first time. This approach enables large-scale attacks with minimal effort and often goes undetected until data leaks or encrypted data are discovered.

The report identified four main initial infection vectors for ransomware: trusted relationship attacks, the compromise of internet-facing applications (accounting for 50% of all ransomware attacks), compromised credentials (40%), and phishing.  

Among the compromised credentials, 15% were obtained through brute force attacks. These findings underscore the significant threat ransomware poses to organizations of all sizes and industries.

To mitigate the impact of ransomware attacks, organizations must foster a culture of cybersecurity, invest in the right technologies and personnel, and develop comprehensive incident response and business continuity plans.  

Financial losses, operational disruptions, data exfiltration, reputational damage, legal consequences, and the evolving threat landscape demand vigilant attention.

Investing in robust cybersecurity measures and engaging in ongoing employee training are critical. Cultivating a culture of cybersecurity awareness and collaborating with legal counsel to navigate the regulatory landscape are also essential. Developing a crisis communication plan can help address reputational damage effectively.

Achieving cyber resilience goes beyond implementing robust cybersecurity measures; it requires a thorough understanding of an organization's preparedness to withstand and recover from cyber incidents. This involves strategically selecting and monitoring key performance indicators (KPIs) and metrics tailored to assess cyber resilience.

Key metrics to bolster cyber resilience include:

• Mean Time to Detect (MTTD): Measures how long it takes to detect a cyber threat. A lower MTTD indicates better detection capabilities, helping contain lateral movement within an organization and reducing breach impact.
• Mean Time to Respond (MTTR): Measures the time taken to respond to a cyber threat once detected. A lower MTTR indicates faster response capabilities. Effective tabletop exercises and lessons learned from past incidents can help reduce this metric.
• Incident Response Plan Effectiveness: Assesses how well the incident response plan is followed during a cyber incident, including containment time, communication effectiveness, and coordination among response teams. Adjusting the plan to reflect changes in the threat landscape is crucial.
• Cybersecurity Training and Awareness: Measures the effectiveness of cybersecurity training programs by tracking employee awareness levels, training module completion rates, and performance in simulated phishing exercises. Tailoring training to different roles within the organization can enhance its effectiveness.
• Cybersecurity Hygiene: Tracks practices like system patching frequency, vulnerability scanning results, and compliance with security policies. Prioritizing cybersecurity hygiene is essential for increasing resilience.
• Cyber Risk Exposure: Quantifies cyber risk by assessing asset criticality, vulnerability severity, and threat likelihood. Understanding risk exposure helps prioritize resources for greater resilience.
• Third-Party Risk Management: Tracks metrics related to third-party cyber risk, including assessments conducted, compliance levels, and incidents involving third-party vendors. Understanding third-party risks is crucial for a comprehensive resilience perspective.
• Security Controls Effectiveness: Assesses the effectiveness of security controls through metrics like IDS/IPS alerts, firewall rule effectiveness, and malware detection rates. Evaluating control effectiveness ensures proper investment and results.
• Backup and Recovery Metrics: Measures the effectiveness of backup and recovery processes through metrics like backup success rates, recovery time objectives (RTO), and recovery point objectives (RPO). Regular testing ensures that recovery expectations match real-world results.
• Business Continuity and Disaster Recovery (BCDR) Metrics: Tracks the ability to maintain operations during and after a cyber incident, including RTOs, RPOs, and BCDR exercise success rates. Ensuring that plans are implementable in a true disaster scenario is vital.

Effective cyber resilience requires a holistic approach, incorporating proactive measures, rapid detection, efficient response, and robust recovery mechanisms.  

By monitoring and optimizing these key metrics, organizations can enhance their ability to withstand and recover from cyber threats, safeguarding their operations and maintaining business continuity.  

Regular testing and validation of disaster recovery plans are essential to confirm their effectiveness in real-world scenarios.

READ MORE HERE

Ascension Attack Highlights Threats to Healthcare System

A ransomware attack on the Ascension hospital system has left its operations in disarray for over a week, severely impacting patient care and leading to the diversion of ambulances to other facilities.  

Ascension, which operates over 250 locations in Middle Tennessee, has had to rely on manual paper-and-pen systems due to the attack, causing significant disruptions in charting, scheduling medical tests and procedures, and accessing critical healthcare records.

Staff members describe the situation as chaotic, with a nurse stating that safety checks have been eliminated, raising concerns about patient safety and the potential impact on their nursing licenses.  

Nurses are reportedly forced to override medications from automatic dispensing cabinets without the ability to scan patient armbands or medication barcodes, eliminating essential safety checks.

Patients and their families are also experiencing distress.  

One patient's relative recounted how the hospital's staff, hampered by downed systems and phone lines, repeatedly asked the same questions and made near-mistakes in medication administration, which were only averted by the relative’s vigilance.

The incident highlights the vulnerability of healthcare providers to ransomware attacks. Studies show that over 500 successful ransomware attacks have impacted nearly 10,000 healthcare providers in recent years, exposing over 52 million patient records and costing the US economy tens of billions of dollars.  

These attacks have disrupted patient care, increased mortality rates, and led to more complications in medical procedures.Ransomware attacks are increasingly seen as cyberterrorism, given their severe impact on critical infrastructure and patient safety.  

Many of these attacks are linked to Russian entities, suggesting a dual motive of financial gain and geopolitical influence. A 2021 report by Chainalysis found that 74% of ransomware revenue went to Russia-linked attackers.

Given the profound implications for public safety and national security, there is a call for the U.S. government to treat these attacks as acts of terrorism.  

Executive Order 13224 defines terrorism as acts dangerous to human life and intended to intimidate or coerce civilian populations or influence government policies. By this definition, ransomware attacks on healthcare systems qualify as terrorism and should be addressed with corresponding urgency and severity.

The healthcare sector's inadequate budgets and staffing for cybersecurity make it a prime target for ransomware operators, who exploit the urgency of patient care to demand large ransoms.  

Addressing this threat requires a significant shift in how these attacks are perceived and handled, recognizing their potential to cause widespread harm and destabilize critical services.

READ MORE HERE

‍

Halcyon.ai is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform defeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.