BLOG

HIPAA AND COMPLIANCE NEWS

Treasury Dept: Ransomware Payment Facilitation Could Be Sanction Risk COVID-19 spurred an increase in ransomware attacks. The Treasury Department warns entities against facilitating ransomware payments for breach victims and possible sanction risks. THIS ARTICLE WAS ORIGINALLY PUBLISHED ON THE HEALTH IT SECURITY XTELLIGENT HEALTHCARE MEDIA WEBSITE Please talk to DDS Rescue about our cybersecurity solutions designed specifically for dental practices. BY JESSICA DAVIS October 01, 2020 – The US Department of Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory on the potential sanction risks associated with companies that facilitate ransomware payments to the threat actors on behalf of breach victims, as the act may violate OFAC regulations and encourage future attacks.  COVID-19 has spurred a drastic increase in the frequency and sophistication of ransomware attacks, with many threat actors taking to the double extortion method. In these cyberattacks, the cybercriminal first gains a foothold onto the network, proliferating to all connected devices and exfiltrating sensitive data.  The hacker will wait sometimes months before deploying the final ransomware payload. And if the organization refuses to pay, they then move to leaking some of the victim’s data to extort them into paying. Sometimes entities refuse, while others have paid up, then the hacker will supposedly return the stolen data.  Healthcare has remained a prime target for these attacks, given that many do indeed pay the ransom to regain access to the stolen data and resume business operations. The latest incident involved the University of California San Fransisco, which paid its hackers $1.14 million to restore access to the servers of its School of Medicine.  In April, RiskIQ reported that about 16 percent of healthcare entities will inevitably pay the ransom. Those recent victims include Blackbaud, DCH Health System, Kentucky’s Park DuValle Community Health Center, and NEO Urology, just to name a few.  READ MORE: Ransomware Reigns, as Cyberattacks Increase in Sophistication, Frequency While security researchers and even federal agencies have empathized with these organizations leaning on their cyber insurance or outside security teams to facilitate these payments to release sensitive data, the FBI has repeatedly stressed that the move should be a last resort.  What’s more, paying the ransom can actually double recovery costs associated with a ransomware attack.  In light of a spate of ransomware, including the massive Universal Health Services attack, OFAC released an advisory that not only advised against paying – warned that these acts may violate the agency’s rules.  “Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations,” OFAC officials wrote.  “OFAC has designated numerous malicious cyber actors under its cyber-related sanctions program and other sanctions programs, including perpetrators of ransomware attacks and those who facilitate ransomware transactions,” they added.  READ MORE: Ransomware Spurs EHR Downtime at UHS Health System, 3 More Providers The agency provide several examples of the sanctioned organizations, which include the notorious SamSam hackers that pummeled the healthcare sector in 2018. Other threat actors include Dridex, WannaCry 2.0, Evil Corp, and the Lazarus Group, among others.  Many of these groups have ties to foreign governments, which caused their sanctions. OFAC officials explained that it will continue to impose sanctions on the hackers and “others who materially assist, sponsor, or provide financial, material, or technological support for these activities.”  Not only do ransomware payments fuel future attacks, OFAC explained it also threatens US national security interests given their profit and later ability to advance their cause. Paying ransom to a sanctioned entity or jurisdiction could fund activities in conflict with national interests.  And as noted repeatedly by security leaders, paying a ransom demand does not guarantee a victim will regain access to their data. Notably, one out of 10 ransomware attacks leads to data theft, while an average of 45 percent of healthcare CISOs have faced a cyberattack aimed at destroying data.  Further, the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA), prohibits individuals or entities from engaging in transactions, directly or indirectly, with those on “OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes.”  READ MORE: 3 Key Entry Points for Leading Ransomware Hacking Groups “Additionally, any transaction that causes a violation under IEEPA, including transactions by a non-U.S. person which causes a U.S. person to violate any IEEPA-based sanctions, is also prohibited, U.S. persons, wherever located, are also generally prohibited from facilitating actions of non-U.S. persons, which could not be directly performed by U.S. persons due to U.S. sanctions regulations,” OFAC explained.  “OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC,” they added.  Entities should review OFAC’s enforcement guidelines before engaging in these transactions and to determine an appropriate response. Organizations are encouraged to ensure they have implemented a risk-based compliance program to mitigate potential exposure to sanctions-based violations.  These recommendations extend to companies that work with ransomware victims, including cyber insurance providers, digital forensics firms, and incident response, and financial services.  Lastly, when faced with a ransomware attack, organizations should first contact relevant government agencies.  It’s particularly important for healthcare entities, in light of the UHS system outage and the death of a patient in Germany due to a ransomware attack, to review ransomware guidance from Microsoft, OCR, and NIST to bolster systems now, as recent attacks prove hackers have increased in both stealth and sophistication.  Following the death of the patient in Germany, Emsisoft released insights that stressed the need for a federal ban on ransomware payments given the rapid increase for ransom demands and the likelihood of data theft. The security firm predicts more than $25 billion will be paid in ransom demands this year alone, with an overall $170 billion impact on the economy.  In short, to Emsisoft, banning the payment of ransom demands to hackers is the only practical solution.  “The ransomware problem has continued to worsen,” Emsisoft Threat Analyst Brett Callow told HealthITSecurity.com. “In the last month alone, nine healthcare providers or healthcare systems have been successfully attacked, potential impacting patient care at hundreds of individual hospitals

Read More »

5 questions to ask about your backup system

Here’s an article from a few years back from Dentistry IQ. This information holds true today. Make sure you are asking the right questions before you purchase a backup system for your practice. Talk to DDS Rescue about which option is the best fit for you. By Gregory Campos, DDS In theory, it’s easy to understand the importance of backing up practice data on a regular basis. Real life, however, is another story. Dr. Gregory Campos walks you through five questions to consider when shopping for a computer backup system. Read the complete Dentistry IQ article

Read More »

Crypto-Locking Malware Wielded by Even More Types of Extortionists

Ransomware: DarkSide Debuts; Script-Kiddies Tap Dharma Read the latest about RANSOMWARE from Data Breach Today Ransomware-wielding gangs continue to rack up new victims and post record proceeds. That’s driving new players of all sizes and experience – beginners, criminals already skilled in the ransomware ecosystem and more advanced attackers – to try their hand at the crypto-locking malware and data-exfiltration racket. For criminals, the draw of ransomware is easy to see: Using crypto-locking malware to extort organizations continues to pay ever-greater dividends – on average, now nearly $180,000, according to ransomware incident response firm Coveware, based on cases it investigated from April through June. The average amount was a 60% increase from the first quarter of the year (see: Ransomware Payday: Average Payments Jump to $178,000). Clearly, ransomware is surging, despite the ongoing economic chaos caused by the COVID-19 pandemic. In large part, of course, that’s because some victims are paying their attackers for the promise of a decryption key, to remove their name – and potentially, exfiltrated data – from a “name and shame” site, for a promise from attackers to delete stolen data, or potentially all of the above. On Thursday, the University of Utah disclosed that it was hit in July by an unspecified strain of ransomware that cryptolocked “employee and student information,” after which it paid attackers a $457,000 ransom – partly covered by its cyber insurance policy – in return for not releasing data. More examples: Blackbaud, which builds marketing, fundraising and customer relationship management software, last month claimed to have “recently stopped” a ransomware attack by paying off its attackers. Garmin, which builds fitness-tracker and navigation devices, also reportedly paid an undisclosed ransom amount to attackers who successfully encrypted its systems with WastedLocker.   Ever-Growing List of Victims Not every ransomware attack, of course, results in victims paying. But many attackers appear to be playing the numbers. Via the attempt to name and shame victims who didn’t pay, especially if they’re well-known names, gangs also earn free marketing about their operations, potentially building buzz that might persuade future victims to pay them quickly to go away. The list of ransomware victims is growing longer. Recent victims include Brown-Forman, a Louisville, Kentucky-based manufacturer of alcoholic beverages – including Jack Daniels – that was recently hit by Sodinokibi, aka REvil, which claimed to have stolen 1 TB of data, including sensitive employee records. Brown-Forman vowed to not pay a ransom. The Sodinokibi ransomware-as-a-service operation has also listed on its dedicated data-leaking site “Happy Blog” the law firm GSMLaw as a victim, as well as fresh victims in the insurance, consulting, and oil and gas sectors. Sodinokibi is one of a number of operations that steals data before crypto-locking systems, then threatens to leak or auction stolen data unless victims pay (see: Avaddon Ransomware Joins Data-Leaking Club). Meanwhile Carnival, the world’s largest cruise ship company, on Aug. 15 suffered its second ransomware outbreak of the year and warned in a U.S. Securities and Exchange filing that both customer and employee data had likely been stolen. Other recent ransomware victims include Boyce Technologies, which builds transit communication systems – and lately also ventilators – and got hit by the DoppelPaymer gang, and Canon USA, which got hit by the Maze gang.   DarkSide Makes Debut Drawn by the potential profits, new players continue to arrive on the scene. Kaspersky last month warned that the North Korean hacking team Lazarus Group now appears to have expanded into ransomware, which it drops after using malware to gain a foothold in a network and steal Active Directory credentials. arlier this month, another new ransomware operation called DarkSide appeared, although it claimed that its members are not newcomers. “We are a new product on the market, but that does not mean that we have no experience and we came from nowhere,” the group claimed in a post to a hacking forum that was posted by Malwrhunterteam security researchers. “We received millions of dollars in profit by partnering with other well-known cryptolockers.” In the “press release” announcing its arrival, the gang says that it only targets organizations “that can pay the requested amount.” It adds: “We do not want to kill your business.” Bleeping Computer reports that the operation appears to have demanded ransoms ranging from $200,000 to $2 million. Security experts say there are some similarities between DarkSide and REvil, although no smoking gun that would prove that DarkSide is a breakaway operation. For example, DarkSide‘s ransom note is very similar to REvil’s, but such text is easy to cut and paste. Bleeping Computer also reports that DarkSide uses an encoded PowerShell script that’s identical to REvil, but again that could be copied. Also, both types of ransomware check infected PCs to ensure they’re not in one of the member states of the post-Soviet Commonwealth of Independent States. The CIS includes Russia as well as Azerbaijan, Armenia, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Tajikistan, Turkmenistan, Uzbekistan and Ukraine (see: Russia’s Cybercrime Rule Reminder: Never Hack Russians). ‘Iranian Script Kiddies’ Wield Dharma Some ransomware-wielding attackers, however, appear to be newcomers to the hacking scene in every sense. For example, in what appears to be a relatively new phenomenon, a group of Persian-speaking hackers operating from Iran appear to be wielding Dharma ransomware for financially motivated attacks against targets in China, India, Japan and Russia, says cybersecurity firm Group-IB. Dharma, aka CrySis, first appeared as a ransomware-as-a-service operation in 2016, and continues to be “targeted at entry-level cybercriminals, and provides a paint-by-the-numbers approach to penetrating victims’ networks and launching ransomware attacks,” Sean Gallagher, a senior threat researcher at Sophos, says in a recent research report (see: How Dharma Ransomware-as-a-Service Model Works). Since it debuted, multiple variants of Dharma have been in circulation. In March, the source code for one such variant appeared for sale online for $2,000 on a Russian cybercrime forum, Sophos says. Whereas Dharma had previously been tied to relatively low ransom demands, in recent months, Coveware says it’s started seeing some six-figure ransoms being demanded by Dharma-wielding attackers. “The fact that Dharma source code has been made widely available led to the increase in the number of operators deploying it,” says Oleg Skulkin, a senior digital forensics

Read More »

HHS OCR PRESS RELEASE: Cyber Alert – Computer Network Infrastructure Vulnerable to Windows 7 End of Life Status, Increasing Potential for Cyber Attacks

OCR is sharing the following update with our listserv from the Federal Bureau of Investigation (FBI), warning individuals that the FBI has observed cyber criminals targeting computer network infrastructure after an operating system achieves end of life status.  August 2020 PIN Number 20200803-002 The following information is being provided by the FBI, with no guarantees or warranties, for potential use at the sole discretion of recipients to protect against cyber threats. This data is provided to help cyber security professionals and system administrators guard against the persistent malicious actions of cyber actors. This product was coordinated with DHS-CISA. This product is marked TLP:WHITE. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. Computer Network Infrastructure Vulnerable to Windows 7 End of Life Status, Increasing Potential for Cyber Attacks Summary The FBI has observed cyber criminals targeting computer network infrastructure after an operating system achieves end of life status. Continuing to use Windows 7 within an enterprise may provide cyber criminals access into computer systems. As time passes, Windows 7 becomes more vulnerable to exploitation due to lack of security updates and new vulnerabilities discovered. Microsoft and other industry professionals strongly recommend upgrading computer systems to an actively supported operating system. Migrating to a new operating system can pose its own unique challenges, such as cost for new hardware and software and updating existing custom software. However, these challenges do not outweigh the loss of intellectual property and threats to an organization.  Threat Overview On 14 January 2020, Microsoft ended support for the Windows 7 operating system, which includes security updates and technical support unless certain customers purchased an Extended Security Update (ESU) plan. The ESU plan is paid per-device and available for Windows 7 Professional and Enterprise versions, with an increasing price the longer a customer continues use. Microsoft will only offer the ESU plan until January 2023. Continued use of Windows 7 creates the risk of cyber criminal exploitation of a computer system. ·       As of May 2019, an open source report indicated 71 percent of Windows devices used in healthcare organizations ran an operating system that became unsupported in January 2020. Increased compromises have been observed in the healthcare industry when an operating system has achieved end of life status. After the Windows XP end of life on 28 April 2014, the healthcare industry saw a large increase of exposed records the following year. ·       Cyber criminals continue to find entry points into legacy Windows operating systems and leverage Remote Desktop Protocol (RDP) exploits. Microsoft released an emergency patch for its older operating systems, including Windows 7, after an information security researcher discovered the RDP vulnerability called BlueKeep in May 2019. Since the end of July 2019, malicious RDP activity has increased with the development of a working commercial exploit for the BlueKeep vulnerability. Cyber criminals often use misconfigured or improperly secured RDP access controls to conduct cyber attacks. The xDedic Marketplace, taken down by law enforcement in 2019, flourished by compromising RDP vulnerabilities around the world. ·       In 2017, roughly 98 percent of systems infected with WannaCry employed Windows 7 based operating systems. After Microsoft released a patch in March 2017 for the computer exploit used by the WannaCry ransomware, many Windows 7 systems remained unpatched when the WannaCry attacks began in May 2017. With fewer customers able to maintain a patched Windows 7 system after its end of life, cyber criminals will continue to view Windows 7 as a soft target. Recommendations Defending against cyber criminals requires a multilayered approach, including validation of current software employed on the computer network and validation of access controls and network configurations. Consideration should be given to: ·       Upgrading operating systems to the latest supported version. ·       Ensuring anti-virus, spam filters, and firewalls are up to date, properly configured, and secure. ·       Auditing network configurations and isolate computer systems that cannot be updated. ·       Auditing your network for systems using RDP, closing unused RDP ports, applying two-factor authentication wherever possible, and logging RDP login attempts. Reporting Notice The FBI encourages individuals to report information concerning suspicious or criminal activity to their local FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be identified at www.fbi.gov/contact-us/field. CyWatch can be contacted by phone at (855) 292-3937 or by e-mail at [email protected] When available, each report submitted should include the date, time, location, type of activity, number of people, and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. ###

Read More »