There's a new ransomware variant in town and it may prove more productive for attackers and more problematic for health care security teams. Rather than the 'spray and pray' type attacks we saw in the past, the new twist is focusing on select, high risk targets.


Fewer Targets Work Better

'Spray and pray' ransomware attacks are a volume game. Target a very large audience with a spear phishing scheme and hope to fool a relatively small percentage of people. Encrypt their files and ask for hundreds of bitcoins/dollars to unlock them.

In 'Spray and Pray' attacks, the messages are generic and often designed to trigger an emotion-based response. Take for example, the recent spate of U.S. emails pretending to be from the IRS or FBI. They look official and convey a fear inducing message: “You are in big trouble and better respond fast.”

Chances are you've already trained the high-value potential targets in your workplace and they would look suspiciously on an email they get at work from the FBI. Even those of us trained to detect the tell-tale signs (such as hovering over the link with a url containing .cz in it) still get a sinking feeling in our stomach when we read the subject line. It only takes a small percentage of people to respond for the attack to be successful and training doesn't stick with everyone.

The new game in town? Focus on high-value targets. A high-value target has access to high-value data or performs a function that is critical to the business. Encrypt their data and the payout is much higher.


Research and the Well-Designed Email

The cybercriminal designing these attacks will spend more time. They'll profile a company, research the organization and pick a target within a key department. Let's use the example of George in Patient Billing and Payments.

Chances are that George has amassed some considerable data since his last backup and is critical to the cash-flow of his hospital.

They'll spend a little more time and look at LinkedIn. They find that people who searched for George on LinkedIn also visited the profile of Helen at InsurCo, a well-known health insurance carrier. Then they will craft an email that appears to be from Helen that could be well within George's day-to day context. The email pictured in Figure 1 might be pretty successful.

The example is straight out of the playbook of a Defray attack. Recently emerged in August and quite successfully targeting health care organizations, the attachment is a JavaScript file that executes on the opening the 7Zip archive attachment. The tell-tale signs of a phishing email are still there.

The attachment is an unusual file type. The “From” email address isn't exactly correct (insurco vs insureco). But there is a pretty good likelihood that Helen and George are friendly and that George will want to help her out of a bind.


What Can You Do

These new targeted ransomware attacks like Defray clearly demonstrate that the threat level is ratcheting up for health care companies. Protecting your organization is an imperative. Here are a few things you can focus on to be safe.


Know the Difference Between a Hacker and a Cyber Criminal

The big difference between hackers and cybercriminals is the level of effort and persistence they are willing to invest for the reward. Cybercrime is an industry with criminal organizations run very much like businesses. Hackers can be viewed more like hobbyists. 

Each week, your perimeter defenses, intrusion detection systems (IDS), anti-virus software, etc., likely thwarts thousands of hacker-based ransomware attacks. These attacks likely use known malware with known signatures. Many are of the spray and pray variety.

But, cybercriminals know which signatures you can likely detect. They will invest resources to design around your defenses. They'll spend the time to know your organization and create a campaign with a high probability for success so they can achieve much bigger payoffs.


Backup, Backup, Backup!

The single most consistent piece of advice you will find coming from the security community is to focus on backups. If you have quick access to a backup of data that was just encrypted in a ransomware attack, you significantly cut your losses. You should backup daily and you should have multiple backups in multiple locations.


Educate, Educate!

Instill a culture of suspicion regarding emails with attachments and links throughout your organization. Often, a 10 second pause to scan the email for funky from addresses, weird file types or suspicious urls will help identify 99% of attacks. Make sure your employees are trained in how to identify these tell-tale signs of a spear phishing attempt. A simple search for employee spear phishing education will provide a number of reputable vendors who can help. The cost justification is a no-brainer when you consider the potential downside.


Keep Systems Updated

There is a continuous race for cybercriminals to identify and exploit security vulnerabilities in systems and software before they are identified by the vendor and patched. Keeping up to date with patches significantly improves your defenses.

The enemy gets smarter every day and your organization can only be safe if you are one step ahead of them.

This post first appeared on the Ipswitch blog.