400 Hospitals shutdown by ransomware

Universal Health Services was shutdown by ransomware on September 27th affecting more than 90,000 employees operating 26 acute care hospitals, 328 behavioral health inpatient facilities, and 42 outpatient facilities. DURING. A. PANDEMIC.

While the full shutdown of their American network is significant, UHS claims it did not impact patient care. Systems were restored as of October 5th as IT teams took standard remediation steps. First disconnecting the network to stop spread, then restoring from backups. In the meantime staff worked with paper records that must be entered later. Overall, Universal Health handled the situation competently.

History of Ransomware

Ransomware hit the mainstream in 2013 with Cryptolocker. The problem has only gotten worse over the last 7 years as copy cats have come for their piece of the pie. Antivirus vendors have had 7 years to respond to a clearly worsening situation but clearly have not solved the problem.

The modus operandi hasn’t changed much: you receive an email with an attachment that you click on (accidentally) and your files are encrypted. The virus may be caught mid-process if your antivirus has a signature for the ransomware but you’ll still have some encrypted files. Antivirus vendors often focus on educating users about avoiding unverified links or email attachments instead of coding ransomware protection.

Options

The many organizations compromised annually by ransomware no doubt have antivirus. Antivirus seems to be a lost cause at this point. The best solution is preventing anyone from running anything other than an approved list of software.

Bombs

Root DNS servers were DDOS’d for over a day significantly impairing the internet worldwide in 2007. The Cybersecurity & Infrastructure Security Agency is prepared, based on the authority of the president, to launch a cyber counterattack or an actual bombing of an attack source. But at what point does the USA start bombing? Can we pre-emptively attack ransomware?

Pre-Approved Applications

Seriously, bombs sound cool but aren’t the right option. We need to implement application approvals. Start by developing a list of all applications used by each business group: Group, AD Group, App Name, Install path, Version. Publisher signature, File hash. This list forms the foundation of your rules.

Microsoft's Applocker is an enterprise feature that allows administrators to approve specific applications and file types for general execution by users in the environment. This control helps IT staff protect users from accidentally running a malicious program. Creating a list of approved applications eliminates the need for antivirus. Computers cannot run anything that isn’t explicitly allowed. Not only does this prevent viruses from running but it keeps systems lean and efficient.

Software can be inventoried and standardized across the organization, eliminating illegal software and other bloat. Helpdesk and sysadmins will greatly appreciate this effort though some organizations might be nervous to see what’s actually running in their environment. Fortunately there’s an audit mode that logs what is used without restricting it so you can fine tune your rules. Obviously there will be issues with software that has legitimate uses - think Zoom, Slack, etc - that users download and install independently. Hopefully you caught these one-offs while in audit mode. Once you switch to restrict mode you become immune to virtually all viruses.