OT Security

The Rise of Ransomware – Why Healthcare OT is a prime target for cybercriminals

The Rise of Ransomware – Why Healthcare OT is a prime target for cybercriminals

The Rise of Ransomware - Why Healthcare OT is a prime target for cybercriminals

Ransomware is a Major Cybersecurity Threat

This year has seen a considerable increase in the frequency and sophistication of ransomware attacks. This has happened across all sectors of the economy, but healthcare providers have been heavily targeted. You'd like to think that it wasn't the case, but the disruption to healthcare providers' working practices due to the COVID-19 epidemic has been too tempting for cybercriminals. The rapid increase in telehealth use via video technologies and the move to home working for many non-clinical staff has increased the attack surface available to exploit. Similarly, there has been a scramble to procure and deploy IT and medical equipment to offset the sudden increased load on healthcare systems. New devices for remote consultations, new medical IoT equipment, other new clinical systems, and new supply chain relationships set up to deliver these items plus the PPE needed to protect clinical staff.

Cybersecurity has taken a backseat in much of this work. IT staff had to deliver what was needed to fill the immediate clinical needs, and most intended to revisit the deployments later to make sure that cybersecurity was correct. Unfortunately, the bad actors have noticed and targeted new and existing systems with ransomware and other attack methods.

Existing Protections are Falling Behind

Existing ransomware protection methods rely on techniques that search for known signatures and other compromise indicators within the files and data stored on the network systems and devices. The good protection systems also monitor for abnormal behaviour on the network to detect unknown ransomware variants. Behaviours like large transfers of data out of the network to unauthorised destinations are now standard along with extortion in ransomware attacks.

The ransomware creators are fully aware of the defence mechanisms and are always striving to develop new ways to evade them. Modern ransomware variants, such as WastedLocker and Maze, are memory resident. They do all their work in memory and don't write out files that can be detected by traditional signature scanners. They also hide their activities in various ways to operate for a while before they are seen. After which it's too late, and data has been stolen and then encrypted locally.

Deception Technology and AI can Keep Up with the Threats

Ransomware threats evolve so quickly that human-based experts can't counter them in real time. Acalvio have a maxim for this: fight fire with fire! As the attackers are using deception to hide their activities from traditional defences, why not use deception to trick them as well. An excellent way to stop critical clinical and other systems being targeted is to lead the attackers down a dummy path to systems designed to make them think they are real. These then get attacked instead of the production systems. The latter being hidden and protected with state-of-the-art defences, and the systems monitored using AI systems to spot abnormal behaviours.

Acalvio ShadowPlex Ransomware Solution

Acalvio ShadowPlex uses breakthrough Deception Technology integrated with advanced AI to provide an industry-leading autonomous deception solution that is effective, easy to use, and scalable to enterprise levels. It can also detect and kill zero-day ransomware variants. The solution uses various deceptions to fool cybercriminals that they have found and compromised real production systems. These deception techniques are shown in the graphic below.

The Rise of Ransomware – Why Healthcare OT is a prime target for cybercriminals

The ShadowPlex solution uses the following components:

  • Decoys - realistic dummy endpoints, apps, IoT devices, and cloud-based instances designed to look real and fool attackers.
  • Breadcrumb pathways to decoys - false use and systems login details, URLs, realistic-looking network traffic and even complete dummy Active Directory authentication systems that make the decoy systems feel real.
  • Trip wires - documents, running processes, and tools that flag indicators of compromise when the attackers interact with them on the dummy decoy systems.
  • Lures - setup and configuration on the decoy systems that make the attackers think that they have found a poorly secured network to which they have full access.

These decoy systems are backed by advanced AI-driven monitoring and alerting. Any infiltration will be flagged, and human security experts can watch what the attackers are doing on the dummy systems. The attackers are effectively sandboxed, and the techniques they use documented. This intelligence can then be used to tighten protections on the existing production systems if required.

After detection, Acalvio ShadowPlex can invoke what they call their 'Ransomware kill-chain' to eliminate the attackers from the network.

Contact Renaissance for More Information

Renaissance are the Acalvio partner and distributor in Ireland. If you want to find out more about ShadowPlex then contact us for more information.