December 04, 2017 - Having the necessary and applicable data security tools in place, along with comprehensive employee education, are critical for ransomware attack prevention measures. Organizations of all sizes need to be aware of the potential threats and be willing to invest in options that will help keep sensitive data secure.
Ohio-based Wood County Hospital averted a potentially widespread ransomware attack by detecting the issue with the help of its managed security services provider (MSSP) two weeks before it surfaced.
CIO Joanne White said the organization had been wanting to increase its security by adding network traffic analytics.
Wood County Hospital has 19 clinics it supports, White explained to HealthITSecurity.com. There are 16 people in IT who supports all of those locations. Wood County utilizes Cerner for its hospital EMR and NextGen in the clinics, she added.
The ransomware incident took place in September 2016, which is when an employee received a popup message that said files had been encrypted and that Wood County had 72 hours to pay.
“We had been doing a proof of concept with ExtraHop,” White recalled, adding that preconfigured reports and dashboards were already prebuilt with ExtraHop. “We had done a proof of concept, collecting data, and we were looking at things for the new fiscal year. It was still collecting data in the background, but we hadn't looked at it since ExtraHop had done a call with us to review the details of our testing period.”
White added that Wood County immediately contacted ExtraHop after the ransomware was first discovered, asking if Wood County could access the reports in the system to determine what was happening.
“The first thing we saw was one PC that was sending pings all over our entire network,” White said. “It was just flooding our internal network, so we focused on that machine. The first thing we did was we pulled it off the network. Then we brought it over into IT and we looked through the others.”
Wood County dug into the ExtraHop logs to see the anomalies, she continued. The organization also uses Veriato 360 to view keystrokes.
“From the logs that we were able to locate through ExtraHop, we saw the timestamp on the ransomware file,” White explained. “We looked at [Veriato 360] for that timeframe and we were able to pinpoint exactly where the ransomware came in the system.”
“It was a nurse in behavioral health who had clicked on a website that she goes to on a frequent basis for her job,” she continued. “It was at the minute she clicked on a link in their website that the ransomware entered our system.”
Wood County was able to isolate the device from the main network, along with terminal services that the computer had connected to. White added that Wood County ran scans and continued to work with ExtraHop to ensure that the ransomware did not spread.
“We found 47 instances of the infected directory that could not propagate due to no admin rights,” White stated. “We had 47 executables waiting to take off. Can you imagine how we were feeling at that point, knowing what a disaster it could have been?”
“At that point we reimaged the PC,” White added. “We reimaged the server. We deleted [the employee’s] user profile, and of course deleted her user directory. We created new ones and we set up scans and alerts in ExtraHop.”
The ransomware was a new strain called CryptFile2. The message stated that decrypting the Wood County files was only possible with the necessary private key and decrypt program, which was on a “Secret Server.”
“So, there are two ways you can choose: wait for a miracle and get your price doubled, or start send email now for more specific instructions! , and restore your data easy way,” read the message, a copy of which was given to HealthITSecurity.com. “If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment.”
Since implementing ExtraHop, White explained that real-time alerts are extremely helpful in determining potential issues.
“One day we got an alert that a user in support service was accessing the files that were known to be a security risk,” she said. “We found out that a new employee was trying to access some really old files. But they had been files where the extensions had been renamed, and that set off the flags. The files were fine, but we've gotten a number of alerts since then. We can follow up on them quickly.”
There is no way to ensure 100 percent that no cybersecurity issues will ever happen, White stressed. But there are ways to work on keeping your systems as secure as possible, and implement an applicable recovery plan.
“As soon as they find a way to stop it, someone thinks of another way to get in or infect your system,” she maintained. “But at least now I feel like we'll get alerted and be able to react promptly. You're reading a lot of reports right now on people who are finding that they had this in their system for years. Or people will find that it spreads throughout their network and cripples their system.”
Wood County has firewalls, antivirus software, URL filtering, and sandboxing, White said. It also utilizes email filtering, encryption, and a SIEM log management for vulnerability scans.
“We have quite a few things in place, but there is always the possibility of a perfect storm,” she stated. “We do a lot of end user education here. We're also much more keenly aware of our patch management. We have vulnerability assessments that we do every month.”
White added that Wood County is very lucky to have a CEO who understood the importance of what happened and why it was so necessary to make the investment in ExtraHop.
“He let us purchase it immediately,” she said. “He didn’t make us wade through the budget.”
Since the ransomware incident, White added that Wood County has stepped up its security. Email reminders are sent out to employees with real-time examples. Staff members were informed that a vulnerability had been detected that was instigated by a user clicking on a link on a website.
Educating employees on the importance of being aware of potential phishing scams or ransomware attacks is essential, she stressed, and is an important part of security training.
“I am just very grateful that we were able to stop it, and we had thought about security before,” she concluded. “I'm really grateful that we had that insight into the network – internal network that could help us find it so quickly and react to it. Otherwise I felt like we were sitting on a ticking time bomb. I hope I don't have to go through that again.”