In light of the surge of ransomware attacks in the healthcare sector this year, organizations urgently need to take specific data backup steps and other precautions, risk management expert John Pironti stresses.
“Backups need to be kept in such a way that they are not easily accessed by ransomware tools that actually seek them out now,” says Pironti, a security risk adviser at ISACA, an independent, not-for-profit association that develops industry practices and guidance to manage, secure and govern information systems. Newer generation ransomware looks for synchronized backups, he points out in an interview with Information Security Media Group.
“Adversaries will actually implant the ransomware tools and codes into the systems for a long window of time, at least 90 days, to follow standard IT cycles … so they can ensure that their code is installed in all the backups and all the systems, so that at the time of restoration, they can re-attack those systems,” he warns.
When backing up mission-critical data, healthcare organizations must first check the integrity of the data, ensuring that it has not already been corrupted by intruders, Pironti points out.
When organizations are hit by a ransomware attack, they should “quickly fingerprint the type of code or data that was used, and have good logs and visibility systems that can monitor and look around at other systems,” he advises. “Once I understand what the bad code … [and] behavior looks like, I can quickly start looking where else I may see the code trying to turn itself on. … I can then quickly try to filter out different network segments, different data elements – essentially putting up blocks and gates to limit the sprawl or distribution factor so that it can no longer take action.”
Those affected systems should then be brought to offline status and quarantined as quickly as possible so that their backups and other systems being used to synchronize data are not impacted, he says.
While law enforcement typically advises against paying extortionists in ransomware attacks, the decision to pay needs to be based on “defendable analysis and not emotion,” he stresses. “This becomes more of a risk management conversation than a security conversation,” he adds.
He says organizations need to ask themselves: “What are the business impacts of not paying?” That includes the total cost of recovery. If attackers have encrypted data, and backups are inadequate, that could impede the ability to provide quality care, he notes, which, in some cases, could make paying the ransom the only viable option.
Ransomware victims also must consider, however, that maliciously encrypted data may not be unlocked by attackers even after a ransom is paid, he notes.
In those cases where an organization makes the decision to pay a ransom, it should immediately alert law enforcement, he says. Plus, organizations should consider paying only a very small amount of the requested ransom at first.
“In some cases, what we’ve found is that this is an automated process. The server [of the extortionists] understands that a bitcoin has been received into an account … uniquely identified back to the organization targeted. If there’s no human in the middle, they may have set up the code to detect that a bitcoin was received and so go ahead and start releasing the [de-encryption] key.”
In the interview (see audio player below photo), Pironti also discusses:
In addition to his role at ISACA, Pironti is president of IP Architects, an enterprise risk management consulting firm. Previously, Pironti was chief information risk strategist at Archer Technologies and CompuCom, and a principal enterprise solutions architect and principal security consultant for Unisys Inc. He has also held technical and management positions at AT&T and Genuity Inc.