[Editor’s Note: During 2016 Healthcare experienced a dramatic increase of virulent ransomware attacks. Please also see a more a more comprehensive list of security contols in the post Preventing and Mitigating Ransomware Attacks, posted 10/4/2016.]
A nasty piece of ransomware, CryptoLocker, has caught yet another victim. A small law firm in North Carolina admitted to losing its entire cache of legal documents to the CryptoLocker Trojan. According to a TV report, the malware was custom-designed to look like an email attachment from the firm’s phone system.
Eagle Consulting Partners knows of health clinics that have had data destroyed by this same malware.
CyptoLocker (and a variant, CryptoLocker 2.0) encrypts certain types of files, including those for Microsoft Office, OpenDocument, media files, and certain other file types. Since last September, CryptoLocker’s creators have made an estimated $30 million in ransom money from businesses that have paid to re-gain access to their own files.
There is some minimal comfort in that CryptoLocker is not known to attack SQL and other databases that contain mission critical data. However an attack can still cause widespread infection quickly, resulting in unanticipated system downtime and requiring potentially costly mitigation to repair.
A thorough and professional computer security risk analysis will clearly identify the risk of data destruction that this, and other types of malware, can cause. According to McAfee Labs Threat Report, more than 312,000 unique samples of ransomware appeared in the third quarter of 2013, so the threat is very real.
Eagle recommends both proactive and reactive controls to protect against Cryptolocker and other ransomware. First, the proactive steps:
- Use Multiple Backup Generations. Backups of system data must include multiple generations. The minimum number recommended is 5 — one for each day of the week. More generations is better–for example, saving the end-of-week backup for 4 weeks. This is an essential defense since you may not discover a CryptoLocker attack immediately. If you have only one backup generation, you may destroy your only good backup by overwriting it with unusable, encrypted files.
- Isolate your backup. Make sure that your backup is accessible only to privileged users, is isolated on your network and/or is kept off-line. Otherwise, your backups themselves could be encrypted since the CryptoLocker malware seeks out local and network resources including shared drives, removable drives, external hard drives, shared file systems, and cloud storage locations.
- Implement multi-layered malware controls. Implement multiple layers of malware controls. Long gone are the days that anti-virus solutions alone were sufficient protection. –In addition to using managed anti-malware solutions, build your network with secure configurations of all network devices, use secure configurations for software, use a robust patching program, conduct reputation-based blocking of dangerous websites, and invest in security awareness training for end users.
Reactive steps include an effective incident response procedure:
- If you are hit with CryptoLocker, take immediate steps to isolate the infected computer by turning it off and disconnecting it from your network.
- Seek professional help
- Report the incident to law enforcement (Paying the ransom does not always result in access to encrypted files and may make you an easy target for a future attack)
