If cybercriminals have their way, you won’t know your healthcare organization has been attacked with ransomware until it’s too late. By the time they demand a sizable ransom, your highly sensitive patient data will already be encrypted, locking you out. You’ll need to shut down critical systems, curtail services, and set your emergency plan into motion.
What if you could detect a ransomware attack before it goes that far? Surveying the variety of tactics and delivery methods used by cybercriminals can help your organization build a strategy for preventing attacks and mitigating damage.
Understanding Ransomware Delivery Methods
Ransomware is malicious software that encrypts data, preventing authorized users from accessing it. Attackers typically demand ransom in exchange for providing the decryption key. They also might threaten to steal—and sell—sensitive data or attack partner organizations unless the ransom is paid.
Once ransomware has infected an enterprise network, the strategy for extracting ransom is generally similar from one attack to another. But the means of infection can vary greatly. Cybercriminals employ a wide array of methods to deliver their ransomware.
1. Email Phishing: The Primary Attack Vector
Email phishing is the most common tactic for launching a ransomware attack. Just one employee clicking on a link in a suspicious email could start a chain of events that ultimately costs an organization millions of dollars.
Phishing email tactics
A phishing email generally has one of two goals. Attackers might want to steal login credentials—a username and password—for an app or system. They can then use those credentials to log in, posing as the phishing victim, and implant the ransomware.
Or attackers might use a phishing email to get an individual to download an attachment that is malware in disguise. Once the malware is running on the user’s system, it can spread to other systems on the network.
In both cases, the approach is similar: Attackers send emails and try to get users to do something. To steal login credentials, they try to lure a user into clicking on a seemingly authentic link within the email. That link will take the user to a website where they are asked to enter their credentials. To entice the user to open an attachment, attackers might claim that it contains information needed for the user’s job.
Phishing email examples
A phishing email might appear to come from a colleague, manager, partner, or any other source from whom a user might typically receive emails. For example, an email might claim to be from an HR manager, asking the recipient to update personal information in a website, or from the IT team, telling the recipient that a new security policy requires them to re-enter a password into a cloud app. An email that seems to come from a partner might claim that an attachment is an invoice or purchase order.
Best practices for identifying and avoiding phishing emails
How can your organization reduce the risk of successful phishing? Identifying phishing attempts is difficult, but there are often a few clues:
- Fake email addresses or websites: Users should scrutinize the “from” field. Is it the correct address of the supposed sender? If there is a link within the email, users should hover over it with the cursor: Does it show a different, odd URL?
- Misspellings or grammatical errors: Are there surprising mistakes in the subject or body of the email?
- A sense of urgency: Many phishing emails often try to get users to take action rapidly, before they can spot potential clues that it is fraudulent.
Desktop antivirus and anti-malware solutions can also help stop phishing attacks. These tools can identify phishing emails, spot virus-infused attachments, and block users from accessing suspicious websites.
2. Social Engineering: The Human Factor
Email phishing is a type of “social engineering” attack. Social engineering is the tactic of manipulating a user into taking an action that somehow benefits the cybercriminal.
Explanation of social engineering tactics
Attackers can employ social engineering tactics through a variety of channels, including email, traditional postal mail, text messaging, phone calls, and social media platforms. In most cases, attackers use some form of deception. The communication purports to be from a legitimate source—like a bank, a friend, a software company, an e-commerce retailer, or the Internal Revenue Service. And the message exhorts the individual to do something, such as clicking on a link, downloading an attachment, or providing credit card information by phone.
As with email phishing, clicking on a link from a text might take a user to a spoofed website—a site that looks legitimate but is actually created for the sole purpose of the attack. The individual might be asked to provide login information, which is then stolen and used by attackers. Downloading an attachment could execute a virus on the user’s computer, which could ultimately spread to other connected systems.
Strategies for identifying and preventing social engineering attempts
Most of the same strategies for identifying and preventing phishing apply to other social engineering threats. In particular, enterprise employees should be taught best practices for identifying suspicious communications. For example, if an employee receives a text that purports to be from a manager, asking them to click on a link or take some urgent action, the employee should be wary—especially if the employee does not typically receive texts from that manager and does not recognize the phone number.
3. Data Ingestion Pipelines
How data ingestion pipelines are used
Data ingestion pipelines are workflows that organizations leverage to collect, ingest, and distribute data from a multitude of places such as customers, partners, and public sources. In many cases, the data is stored in cloud-based storage services like Amazon S3 or on-premises.
How data ingestion pipelines are used
Data ingestion pipelines become attack vectors when malicious files are ingested and opened/executed at some point downstream. For example, digital patient portal software presents the opportunity for a patient, knowingly or not, to upload a malicious file to the attachments section, which lands in the organizations’ data storage repository, for the blood lab tech to review. Upon opening the file for analysis, the ransomware detonates.
How to prevent infiltration
Organizations should validate the security of all the data they ingest from third parties. To do this, organizations can implement inline malware detection into their data ingestion pipelines, which can automatically scan files for malware before they are uploaded into storage. This prevents malicious payloads from reaching an organization’s employees or downstream application, where it risks execution and infection.
4. Drive-By Downloads and Compromised Websites
While social engineering tactics try to trick users into clicking on a link or opening an attachment, drive-by downloads rely less on users making unfortunate decisions.
How drive-by downloads work
A drive-by download occurs when a user unintentionally—and sometimes unknowingly—downloads malicious software. The download might begin when a user visits a compromised website or uses an app that is infected or controlled by an attacker. These attacks are particularly dangerous because they can succeed without a user having any knowledge of them.
Once the software is downloaded, it can execute ransomware or another type of virus. If the user’s computer is connected to the enterprise network, the ransomware can spread to mission-critical systems and sensitive data.
How attackers compromise websites
Attackers might create websites whose primary purpose is to deliver drive-by downloads. They could entice users to visit those sites using social engineering tactics, or they could create websites whose URLs vary only slightly from legitimate sites.
Attackers could also compromise authentic sites. They might find and exploit vulnerabilities in content management system (CMS) software, server operating systems, or web applications. If they access a website, they could replace existing downloads with ransomware or add links that initiate downloads of malicious code.
Best practices to avoid drive-by downloads
User education is again key for avoiding an attack. Users should avoid downloading software from unknown sites, visiting suspicious websites, and clicking on links within pop-up ads. Users and IT groups (if devices are managed by the enterprise) should also keep software and operating systems up to date to reduce the likelihood that ransomware or other viruses can do damage. In addition, desktop antivirus software can help identify and eliminate ransomware.
5. Remote Desktop Protocol (RDP) Exploitation
Attackers can also deliver ransomware by impersonating employees through remote desktop protocol (RDP) logins and then implanting the ransomware directly on company computers.
Overview of RDP and its purpose
RDP is a commonly used technical standard for using a desktop computer remotely. Using RDP, a remote employee could use a local device (like a personal desktop, laptop, or tablet) to connect to a geographically distant computer (like a desktop system in the corporate office). The employee could use applications and move files just as if they were sitting at the remote computer.
Techniques used by attackers to gain RDP access
Attackers can exploit RDP in a few ways. If they gain access to a user’s credentials for one application (for example, through a data breach), they can try to apply those same credentials to the RDP login. Since users often employ the same password for multiple applications, the attackers might have success. The cybercriminals could also conduct a brute force attack, essentially trying numerous passwords until hitting on the correct one.
Alternatively, attackers could attempt an on-path (or “man-in-the-middle”) attack, in which they try to intercept network traffic between the authorized user and a server. If they succeed in intercepting user credentials, attackers can gain access to the remote desktop and potentially have free rein within the corporate network.
Mitigation measures for securing RDP connections
Organizations can secure RDP connections in several ways. For example, they can employ multi-factor authentication (MFA), which requires employees to authenticate themselves using more than just a username and password. Organizations can also enforce the use of strong, unique passwords for remote desktop logins. To protect against on-path attacks or other network intrusions, they can configure firewalls to allow traffic only from the devices used by employees.
6. Exploit Kits: Automated Malware Delivery
Exploit kits are automated threats that use compromised websites or applications to deliver ransomware to user devices.
How exploit kits work and common vulnerabilities
Exploit kit attacks typically begin with a compromised website. When a user visits the website, the site diverts traffic to another page created by attackers. That page runs code that scans the user’s device for vulnerable browser-based applications, such as the web browser or Adobe Flash Player. If a vulnerability is found, the exploit uses the application to run ransomware (or other malware) on the device.
Mitigation measures against exploit kit attacks
Users must be educated about social engineering schemes so they can avoid clicking on links that take them to compromised sites. But users and IT teams must also keep systems patched and updated to address software vulnerabilities. Desktop antivirus software can help block known malware and exploits. Intrusion prevention and intrusion detection systems can also help stop attacks by scanning for and blocking known attack scripts.
7. Watering Hole Attacks: Targeted Strikes
Watering hole attacks target websites, apps, or services used by a large number of users in an organization. The attacks then exploit vulnerabilities to deliver ransomware or other malware to users.
How watering hole attacks work
Cybercriminals prepare for watering hole attacks by first determining where users frequently congregate. Attackers might use search engine data, spyware, social engineering tools, or other tactics to gather intelligence and plan the attack. They then analyze sites, apps, and services for vulnerabilities that they can exploit.
If attackers home in on a particular website, they might attempt to compromise the site by injecting it with malicious HTML or JavaScript code. That code would redirect users to another site, controlled by attackers, which would then deliver ransomware to users’ systems.
Recommendations for defense
Raising awareness about watering hole attacks can help users recognize potential issues if, for example, they are suddenly redirected from one website to another. Keeping systems and software up to date, and employing desktop antivirus software, can also help reduce the damage caused by ransomware. Organizations should also monitor network and web traffic to identify abnormalities or malicious activity. Using a virtual private network (VPN) or Zero Trust network access solution can also help organizations prevent users from accessing compromised websites.
8. Supply Chain Attacks
A supply chain attack uses third-party tools, services or even data to infect a targeted organization’s network with ransomware. Large healthcare organizations that have numerous external partners could be at particular risk for this type of attack.
How supply chain attacks work
Attackers first gain access to a system or application used by a “third party”—an organization that serves as a partner or supplier for the ultimate target. The third-party organization might be a software vendor, cloud service provider, or any other partner that supplies something to the target business. Attackers might steal credentials or exploit a software or configuration vulnerability to gain the access they need. They could also upload a file containing a ransomware payload into a storage avenue they know will be used by downstream users within the cloud.
Once attackers have infiltrated the third-party organization, they can implant ransomware in software or a service that the third party supplies to the target organization. When the target organization starts using the infected software, service, or file, it too is infected with ransomware. If attackers infect software that a vendor supplies to enterprises, that ransomware could spread to all the vendor’s customers.
Best practices for preventing supply chain attacks
Organizations can reduce the risk of a supply chain attack by regularly auditing suppliers and thoroughly testing software and services prior to deployment. They should also scan all incoming supply chain data for malicious code. Larger initiatives, such as adopting a Zero Trust approach to security, can help ensure that no apps, services, or people are trusted by default.
In the healthcare industry, organizations might also require their suppliers and partners to become HITRUST certified. HITRUST certification provides the assurance that these third-party organizations have controls in place to protect their own organizations from attacks. Consequently, they are less likely to spread ransomware.
Evolving Delivery Methods
Ransomware delivery methods are constantly evolving. Attackers are eager to use new technologies and techniques to evade the latest defenses. Many are already adopting generative AI tools to write more convincing phishing emails. Some are also capitalizing on Ransomware-as-a-Service offerings to create new strains of ransomware while eliminating the need for coding.
Organizations must stay well informed of trends. In many cases, working with outside security experts can help ensure that in-house teams stay up to date with trends and emerging threats.
Ransomware Prevention and Response
Healthcare organizations continue to be a top target for ransomware attacks. Cybercriminals know that providers, payers, and other healthcare organizations under attack will feel great pressure to end operational disruptions and restore access to sensitive data, even if that means paying ransoms.
Given the diverse array of ransomware delivery methods, healthcare organizations will need to take a comprehensive approach to ransomware prevention and recovery. Defense-in-depth, i.e. applying security to every layer, can significantly reduce your risk of a successful ransomware attack.
Cloud Storage Security (CSS) is a leading provider of data security solutions for organizations that operate within the cloud. Through antivirus and data loss prevention, CSS enables organizations to prevent ransomware incidents, data breaches, and other similar incidents. Contact us to learn more.
Cloudticity is a digital enablement partner for healthcare organizations generating measurable business and clinical outcomes by unlocking the cloud’s full potential. Through advanced automation and deep cloud expertise, Cloudticity empowers healthcare organizations to create, scale, and deliver next-gen healthcare solutions that are resilient and secure.
For more information on ransomware delivery methods, check out CSS and Cloudticity’s joint webinar Ransomware Challenges in Healthcare.
This article originally appeared on Cloudticity's blog.