Last Friday, Brno’s University Hospital in Czech Republic, which is also a testing center for the coronavirus, faced a ransomware attack that paralyzed its computers. The hospital followed standard procedures and notified the Czech National Cyber and Information Security Agency to assist with the investigation, and our Threat Labs offered help, supporting the hospital by analyzing the malware.
Hospitals are not necessarily more susceptible to ransomware attacks. However, an attack can have severely detrimental consequences for them, such as the loss of patient records, and treatment delays or cancellations. As hospitals perform critical operations and hold vital patient information, they are more likely than other organizations to pay the ransom, which makes them attractive targets for threat actors.
Statements from ransomware operators saying they will not target hospitals during the pandemic are absurdly putting cybercriminals in the light of being philanthropic, but they are just likely avoiding the heat antivirus companies are giving to anyone attacking emergency services.
How hospitals can make themselves more resilient to ransomware attacks
There are steps hospitals can take to strengthen their defenses, protecting their systems, customer data, and operations.
Keeping software up-to-date
In May 2017, the WannaCry ransomware strain attacked millions of computers across the world, successfully infecting devices by abusing a vulnerability for which Microsoft had issued a patch for two months prior to the mass attack. Millions of people and businesses didn’t apply the update, which would have protected them from a WannaCry infection. Hospitals were also hit by the ransomware.
It’s absolutely crucial to keep all software and operating systems up-to-date at all times. Microsoft continuously issues emergency patches. Most recently, Microsoft released an emergency patch for a critical Windows 10 vulnerability dubbed “EternalDarkness”, a wormable vulnerability that affects the SMB protocol, which is used to share files, and is the same protocol exploited to spread WannaCry three years ago. Microsoft has urged users to take action immediately to apply the update, and healthcare institutions should take this call to action seriously.
Hospitals should try to suspend all services available directly from the internet. IT admins should consider strict whitelisting when it comes to executable files, so that only known and trusted applications can be run on hospital computers.
Digital hygiene training
Just as hospitals train their staff when it comes to hygiene best practices, employees should also receive regular training and guidance around digital hygiene. Hospital staff should be made aware of current scams and tactics used by cybercriminals, as email remains one of the most popular delivery methods for cybercriminals. Employees should be wary of emails from unknown senders, and should especially avoid clicking on any links or downloading any attachments unless they’re 100% sure they’re genuine.
Regular backup of all important data
If files are backed up, ransomware loses much of its power, as the systems can be restored and data can be recovered. Important documents, including patient records should be backed up regularly, to ensure hospitals always have a clean version of their files, should they become encrypted. It’s best to save data both in the cloud and with physical storage, just in case. Additionally, having a single image with all default settings is useful when a PC needs to be restored to a known good state.
Steps to take in case of ransomware infection
Unfortunately, things can happen, and it’s therefore important to know what to do if the worst happens.
Step 1: Immediately isolating infected devices
The first thing to do if a Windows PC is attacked by ransomware is to find and disconnect all the infected wired and wireless computers and other devices on the network. This will stop the ransomware from spreading and taking more computers, tablets, and/or smartphones hostage.
During this procedure, it is recommended that victims should also disconnect everything connected to the devices on the network, including external storage.
To complete this step, victims should check whether any of these were connected to the infected PC. If yes, the systems should be checked for ransom messages as well.
Step 2: Collecting logs and making a forensic image
Once the machine is isolated and cannot do further harm to its network surroundings, a forensic image of the live system for follow up analysis should be made. This will freeze any logs and events, and will greatly improve a response team’s ability to figure out where the attack came from and how it behaved.
Step 3: Identifying the type of ransomware attack
Next, victims should find out which strain of ransomware they are dealing with. This knowledge could help find a fix. To help determine the type of ransomware on a machine, we recommend using No More Ransom’s Crypto Sheriff. Provided by Europol’s European Cybercrime Center, this handy tool checks files the attacker has encrypted and the ransom note. If Crypto Sheriff recognizes the encryption and has a solution, it offers a link to download the decryption program needed. PC troubleshooting and tech support forums can also be searched to find information about the ransomware variant that needs to be removed. Even if it’s new, there might be a thread that offers a fix, or a thread where forum members are working towards a solution.
Some ransomware infections will rename files and file extensions (for example: .exe, .docx, .dll) after encrypting them. When visiting tech forums for help, users can search for the names and extensions of the encrypted files; each can help guide to discussions about the strain of ransomware that needs to be removed.
These forums are useful sources of additional information:
Step 4: Removing ransomware
It’s important to get rid of the underlying malware that’s holding a PC hostage. There are ransomware removal options for Windows 10, 8, and 7:
- Check if the ransomware has deleted itself (which it often will)
- Remove it with an antivirus solution, like Avast Antivirus
- Remove the malicious program manually
- Reinstall the system from an image
Affected people and IT administrators will find more detailed steps in our step by step guide here.
While we are all trying to protect ourselves from the virus, it’s important we continue to protect our devices from cyber viruses. At Avast, we are committed to stopping these threats and we remain vigilant as the situation evolves.
Keep safe, everyone!