Inside Ireland’s public health ransomware fear – Krebs on Security
The consulting firm PricewaterhouseCoopers recently published lessons learned from the disruptive and costly May 2021 ransomware attack on the Irish public health system. The unusually straightforward autopsy revealed that almost two months passed between the initial intrusion and the launch of the ransomware. He also found that the affected hospitals had tens of thousands of Windows 7 and that healthcare IT administrators have failed to respond to multiple warning signs of an impending mass attack.
ireland Director of Health Services (HSE), which manages the country’s public health system, was hit with Conti ransomware on May 14, 2021. A timeline in the report (above) indicates that the initial infection of the “patient zero” workstation occurred on March 18, 2021, when an employee on a Windows computer opened a Microsoft Excel document trapped in a phishing email that had been sent two days earlier.
Less than a week later, the attacker had established a reliable backdoor connection to the employee’s infected workstation. After infecting the system, “the attacker continued to operate in the environment for eight weeks until the Conti ransomware explosion on May 14, 2021,” the report states.
According to the PWC report (PDF), there were several warning signs of a serious network intrusion, but these red flags were either misidentified or not addressed quickly enough:
- On March 31, 2021, HSE’s anti-virus software detected the execution of two software tools commonly used by ransomware groups – Cobalt Strike and Mimikatz – on the Patient Zero workstation. But the antivirus software was configured in watch mode, so it did not block malicious commands. “
- On May 7, the attacker compromised HSE’s servers for the first time, and over the next five days, the attacker compromised six HSE hospitals. On May 10, one of the hospitals detected malicious activity on its Microsoft Windows domain controller, a critical component of the “keys to the kingdom” of any Windows corporate network that handles user authentication and access to the network. network.
- On May 10, 2021, security auditors for the first time identified evidence that the attacker compromised systems within Hospital C and anti-virus software at Hospital L. Hospital C detected Cobalt Strike on two systems but failed to quarantine the malicious files.
- On May 13, the HSE’s anti-virus security provider emailed the HSE security operations team, highlighting unmanaged threat events dating back to May 7 on at least 16 systems. The HSE Security Operations team instructed the server team to restart the servers.
By then it was too late. On May 14, just after midnight Irish time, the attacker executed the Conti ransomware within the HSE. The attack disrupted services in several Irish hospitals and resulted in the near complete shutdown of national and local HSE networks, forcing the cancellation of many outpatient clinics and health services. The number of appointments in some areas has fallen by as much as 80 percent.
Conti initially demanded $ 20 million in virtual currency in exchange for a digital key to unlock the HSE servers compromised by the group. But perhaps in response to public outcry over the HSE disruption, Conti backed out and gave the HSE the decryption keys without demanding payment.
Still, the job of restoring infected systems would take months. The HSE eventually enlisted members of the Irish Army to bring in laptops and PCs to help restore computer systems to the hand. It was not until September 21, 2021 that the HSE declared that 100% of its servers were decrypted.
As serious as the HSE ransomware attack was, the PWC report points out that it could have been much worse. For example, it is not known how much data would have been unrecoverable if a decryption key had not become available, because the HSE’s backup infrastructure was only periodically backed up to an offline tape.
The attack could also have been worse, according to the report:
- whether the attacker had intended to target specific devices in the HSE environment (eg medical devices);
- whether the ransomware has taken steps to destroy the data on a large scale;
- whether the ransomware had automatic propagation and persistence capabilities, for example by using an exploit to spread across domains and trusted boundaries to medical devices (for example, the EternalBlue exploit used by the WannaCry and NotPetya15 attacks );
- if cloud systems had also been encrypted like the COVID-19 vaccination system
PWC’s report contains many recommendations, most of which relate to hiring new staff to lead the organization’s redoubled security efforts. But it is clear that the HSE has a huge job to do to gain maturity in terms of safety. For example, the report notes that the HSE hospital network had more than 30,000 Windows 7 workstations that were deemed end of life by the vendor.
“The HSE assessed its cybersecurity maturity score as low,” PWC wrote. “For example, they haven’t established an CISO or a security operations center.”
PWC also estimates that efforts to grow the HSE cybersecurity program to the point where it can quickly detect and respond to intrusions are likely to cost “a multiple of the HSE’s current capital and operating expenses in these areas over several years. years ”.
In June 2021, the CEO of HSE said that the costs of recovering from the ransomware attack in May would likely exceed $ 600 million.
What’s remarkable about this incident is that the HSE is publicly funded by the Irish government, and so in theory it has the money to spend (or raise) to pay for all of these ambitious recommendations to increase their security maturity.
This is in stark contrast to the healthcare system here in the United States, where the biggest obstacle to good safety continues to be the failure to make it a real budget priority. Additionally, most health care organizations in the United States are private companies that operate with very slim profit margins.
I know this because in 2018 I was asked to give the opening speech at an annual gathering of the Healthcare Information Sharing and Analysis Group (H-ISAC), an industry group focused on sharing information on cybersecurity threats. I almost didn’t accept the invitation: I had written very little about health care safety, which seemed to be dominated by coverage of health care organizations’ compliance with the letter of the law in the States- United. This compliance focused on the Health Insurance Portability and Accountability Act (HIPPA), which prioritizes protecting the integrity and confidentiality of patient data.
To get up to speed, I interviewed over a dozen of the best and brightest minds in the healthcare security industry. A common refrain I heard from interviewees was that if it was safety related but didn’t have to do with compliance, there probably wasn’t much of a chance it would get on a budget. .
These sources unanimously said that, while well-intentioned, it is not clear that HIPPA’s “protect data” regulatory approach works from a holistic threat perspective. According to HealthcareIT News, more than 40 million patient records have been compromised in incidents reported to the federal government in 2021 so far.
During my 2018 speech, I tried to stress the paramount importance of being able to react quickly to intrusions. Here’s a snippet of what I told this H-ISAC audience:
“The term ‘security maturity’ refers to the street intelligence of an individual or organization, and that maturity usually comes from making a lot of mistakes, getting hacked a lot and hopefully. , learn from each incident, measure response times and improve.
Let me say up front that all organizations are hacked. Even those who are doing everything right from a security standpoint are probably hacked every day if they are big enough. By hacked I mean someone in the organization falls into a phishing scam or clicks on a malicious link and downloads malicious software. Because let’s face it, it only takes one mistake for hackers to gain a foothold on the network.
Now this in itself is not bad. Unless you don’t have the capacity to detect it and respond quickly. And if you can’t do that, you run the serious risk of seeing a small incident turn into a much bigger problem.
Think of it as the medical concept of the “golden hour”: that short period of time that directly follows a traumatic injury such as a stroke or heart attack in which life-saving medicine and attention are likely to help. be the most efficient. The same concept applies to cybersecurity, and this is exactly why so many organizations today are devoting more of their resources to incident response, rather than just prevention.
The somewhat decentralized healthcare system in the United States means that many ransomware outbreaks tend to be confined to regional or local healthcare facilities. But a ransomware attack or a series of well-placed attacks could inflict serious damage to the industry: A December 2020 report from Deloitte says the top 10 healthcare systems now control 24 market shares and their revenues have grown twice faster than the rest of the market. .
In October 2020, KrebsOnSecurity revealed that the FBI and US Department of Homeland Security had obtained chatter from a leading ransomware group warning of an “imminent cybercrime threat to US hospitals and healthcare providers.” Members associated with the Russian-speaking ransomware group known as Ryuk had discussed plans to deploy ransomware to more than 400 healthcare facilities in the United States.
Hours after this article was published, I heard from a respected H-ISAC security professional who wondered if it was worth pissing off the public. The story has been updated multiple times throughout the day, and at least five healthcare organizations have been affected by ransomware within 24 hours.
“I guess it would help if I understood what the baseline is like how many healthcare facilities are affected by ransomware on average in a week?” I asked the source.
“It’s more like one a day,” the source said.
In all likelihood, the HSE will get the money it needs to implement the programs recommended by PWC, however long it takes. I wonder how many US-based healthcare organizations could say the same.