Cybercriminals are strong-arming their ransomware into healthcare organisations. Usually they bait phishing emails to get unsuspecting healthcare workers to click and ultimately download ransomware.
But 2016, according to cybersecurity firm Layer 8 Security, saw a huge rise in cybercriminals using brute force attacks against remote desktop protocol services to jam their ransomware inside healthcare organisations.
A brute force attack is a trial-and-error strategy where programs attempt to decode encrypted information such as passwords or data encryption standard keys through tremendous effort (i.e. brute force) rather than using more specific strategies.
“You can brute force attack a remote desktop protocol service, in doing that you can try to pose as either the service laptop or the server on the other end of the RDP, so if you are going to brute force past the log-in then the ransomware that traverses an RDP is not acting the same as the one that will exploit through a phishing attack,” said Kevin Hyde, managing director of Layer 8 Security.
The problem is that remote desktop protocol services do not typically have robust security, instead relying on unsophisticated log-ins and passwords.
“Healthcare organisations are not keeping themselves up to best practices with long multivariable passwords, for instance,” Hyde said. “Brute force attacks are hard to execute when logging into multifactor authentication, for example; it’s far less possible for them to execute an attack. But just using a simple log-in and password is making it possible for this new attack vector of ransomware.”
When healthcare organisation staff are logging in to a network from their home or another remote location, they are not exercising optimal cybersecurity awareness compared to when they are actually in their office, Hyde said.
“When you are traveling you might be using public Wi-Fi, or using a laptop that is not your office laptop,” he said. “It creates a more exploitable method, when people are remote they are not on their company’s network, they are not within their company’s bounds, they are not exercising the same amount of caution. It is a more exploitable path of least resistance for attackers.”
So what can healthcare organisations do to defend against brute force attacks against remote desktop protocol services? A lot, Hyde said.
“This goes to the foundational tenets of cybersecurity that organisations need to take up,” he said. “Organisations need to get their applications penetration tested, getting them to where they do not have vulnerabilities. Organisations on top of things are closing the ports that do not need to be opened, making sure access points are open only to those who need the access.”
Organisations taking these kinds of steps have an overarching cyber-risk framework.
“That means you understand the risk you are posing to your company’s assets and bottom line, you understand the kinds of risk you are posing to your employees and clients, and what the risk is that you likely have,” he said. “How likely are you to have an exploit in your network where someone can grab a database of records? Are you training your people to do the right things? All of this helps with RDP attacks.”
On a related note, Hyde said that technologies can be used to defend against outside attacks, but technological changes can take time, sometimes a lot of time.
“But when you train a person, they instantly become a sharper cybersecurity mechanism for your organisation,” he explained. “Whether you are a hospital or a doctor’s office or sitting in a file room, there are many different exposures you may have, and knowing that your people know which assets are valuable and know how to make sure these are not stolen or exploited, that is key to maintaining a risk management framework.”
Hyde added that ransoms with ransomware are going up – not because techniques such as remote desktop protocol brute force attacks are any more or less successful, but because the industry’s stance surrounding ransomware is changing.
“Ransomware amounts are going up because people are becoming more used to this,” he said. “It’s becoming a more common event. It has to do with the numbness people are beginning to feel about the headlines of cyberattacks. They do not yet see themselves in the situation, and they don’t feel they are part of the solution. They need to recognise where they are in the problem and where they are in the solution.”
Criminals at first were smart enough to always keep amounts lower, making sure it was attainable – it wouldn’t break an organisation to give up $10,000, Hyde said.
“But the cost of network security is going up, so cyber-criminals do have to start trying a little harder, and they have to have an ROI, and that is increasing as well,” he said. “It’s not that this is another method, like RDP, it’s the market behind ransomware in general.”