September 29, 2020
Security Alert | Healthcare Ransomware Attacks

Cybercriminals are using ransomware to hold hospitals and medical services digitally hostage.

Another major hospital network experienced a significant ransomware attack that led to the shutdown of several US computing systems.  The network’s immediate offline status crippled the hospital’s ability to access labs, radiology records, and other electronic test results required for patient care.

The attack is yet another example that the ransomware epidemic is going nowhere, and if anything, will continue to paralyze and impact critical facilities, networks, and now lives. It is ominous that these attacks generally take on a parallel prescriptive and programmatic approach to one another. The attackers breach the internal network from the outside, using anything from traditional password spraying attacks against RDP to more sophisticated social engineering-based payloads. They then work to move laterally to escalate privileges and finally drive to propagate the ransomware through conduits like PowerShell or PSEXEC. This somewhat predictable approach is our most significant opportunity to improve and reduce the impact of these attacks.

Prioritize these three steps

The first step in determining your organization’s risk to ransomware should involve a concentrated focus on the threat. That process starts with threat modeling and then moves into a complete inventory of systems and technologies that can be used as entry points into your network.

The second step is to address tactical risks based on the inventory analysis. As an example, if there are external systems that have remote code execution vulnerabilities on them, your organization should prioritize efforts to remediate those threats.

Step three takes a more strategic approach to ransomware by conducting a ransomware assessment. A strategic ransomware assessment evaluates control categories such as; security awareness, initial infiltration, lateral movement/privilege escalation risks, backups/disaster recovery, and segmentation. The assessment will also identify your organization’s incident response program maturity and preparedness for ransomware attacks.

Hail Mary

For organizations needing to act today, there is also a hail mary approach. This approach entails trying to get as much protection against the threat as possible.

  • Apply two-factor authentication across all external authentication portals.
  • Use web application firewalls against all external web sites and applications.
  • Ensure your organization has a concentrated focus on backups.
  • Ensure EDR coverage is 99-100% installed on all assets.
  • Provide ongoing security awareness testing and training using positive reinforcement techniques.
  • Focus heavily on privilege escalation detection and prevention capabilities.
  • Use the MITRE ATT&CK framework to significantly improve your risk to ransomware by focusing on privilege escalation, as it is almost always one of the steps malicious adversaries take with ransomware propagation.

This threat is real and is only going to get worse. However, there are things you can do to have a dramatic influence on your ability to prevent or reduce the impact of these attacks.

If you are a security or risk management professional in healthcare, please join CBI’s group of IT healthcare strategists as we openly discuss and unravel the complexities and similarities of attacks for overall healthcare ransomware preparedness. Timing is critical and virtual seats will be limited; please message me directly at to secure a spot. Additional information to come upon the finalization of group members.

About the Author
Shaun Bertrand
Shaun Bertrand
Chief Services Officer
Shaun Bertrand is the Chief Services Officer at Converge. Shaun brings over 20 years of experience in the information security field with a core focus on providing penetration testing and vulnerability assessment services to enterprise organizations. Shaun has been CISSP certified since 2004 and is proficient in several technical services including AV obfuscation, social engineering, exploit development, critical systems protection, endpoint security, event management, incident response, intrusion detection, ICS/SCADA, and malware prevention. Shaun has taught security classes at the University of Michigan and Eastern Michigan University and is a frequent speaker at security conferences and local hacking groups.
I Need To...