With the recent news about possible impending ransomware infections across the US healthcare system, Tetra Defense compiled this list of recommendations to help healthcare organizations prepare. Unfortunately, there is no one-size-fits-all response strategy when it comes to Ryuk. However, we respond to hundreds of ransomware incidents every year and based on what we see during our post-incident analyses, we recommend that every healthcare organization implement these 9 safeguards within the next 12 hours.
The recommendations are based on priority and complexity, so we recommend starting with number 1 and working down the list.
Complete As Soon As Possible
- Review detections in current endpoint protection tools for detections of Cobalt Strike, Mimikatz, PowerShell. If you see suspicious detections, enact your incident response plan or call an incident response company.
- Enable tamper protection on Anti-Virus or Endpoint Detection and Response (EDR) to prevent threat actors from removing those applications prior to deploying ransomware.
- Set aside a nightly copy of your backups in such a way that even if your IT team wanted to delete backups, they could not unless they were physically in the room with the backups.
- From a clean computer not on the domain (new computer, or newly reformatted), enable multi-factor authentication (MFA) on any cloud backup accounts immediately. The reason for using the newly reformatted computer is because threat actors frequently target the IT teams’ computer to steal cloud backup passwords.
- Enable MFA on centrally managed Anti-Virus/Endpoint Protection and block PsExec and PowerShell on all systems that do not need it for critical operations.
Complete If You Are Able To
- Reset administrator passwords in the network and rotate the “krbtgt” password twice. This account password rotation could require the threat actor to run their tools again to regain access, giving you and your team more opportunity to detect them in your organization.
- Since threat actors routinely use tools like PsExec to laterally move, an organization could set up Windows Firewall or network firewall rules to prevent Server Message Block (SMB) access to workstations and servers that do not host Domain Controller or Windows File Share roles.
- To limit a threat actor’s ability to laterally move using Windows Management Instrumentation (WMI), an organization could set up a fixed WMI port, then configure Windows Firewall and/or network firewall rules to limit WMI access to specific hosts.
- If you do not have Endpoint Detection and Response (EDR), contact a company like Tetra to deploy it. EDR has more robust capabilities to detect attack patterns than traditional antivirus.
While this alert is unsettling for many reasons, it’s a comfort to know that cybersecurity best practices still stand, and are still effective in detecting threats. Healthcare industries face unique challenges when it comes to cyber attacks seeing as their data, their infrastructure, and their service to society at large is essential — making them a lucrative and critical target for ransomware groups. For more information on how ransomware operates, how healthcare is impacted, and how to keep keen eyes on a health systems’s cyber infrastructure, check out these additional resources: