As newer and more advanced malware threats evolve, the risk to confidentiality and integrity of information becomes higher and higher. Traditional ransomware, such as CryptoLocker its more recent cousin TelsaCrypt extracted their value by holding user’s files hostage. A strong defense against these types of malware could be mounted through diligent backup and data retention processes. Users whose files were encrypted by the malware could simply recover from a recent backup without considerable impact.
An emerging threat in the ransomware space in Crysis and it’s a new twist on the paradigm of simple in-place encryption of data files. Crysis merges the data encryption effects of ransomware with the remote command-and-control of today’s Advanced Persistent Threats (APTs). One thing that is not new about Crysis is the way it makes its way onto user’s computers. Whether arriving through email attachments, malware-based advertising, or injected into web content through cross-site scripting, end users are the target. Protections that scan inbound email attachments and web surfing traffic can help, but the bad guys are consistently re-engineering their attacks to evade threat prevention and detection systems.
In today’s healthcare space, attacks like Crysis are more dangerous than ever as the threat is moving from holding user’s data hostage to allowing outsiders access to view or collect sensitive data. While traditional ransomware might have caused disruption to the organization, threats such as Crysis move directly into an investigation of a reportable breach of PHI and confidential data.
The best first line of defense is still user training and awareness. Users should be armed with information on spotting malicious emails and web traffic. Security policies such as acceptable use of email and web browsing coupled with authorized software installation practices can slow the spread of malicious infections. Users should also be diligent about isolating personal use of computers from work related tasks including maintaining secure and unique passwords for all their activity. But humans can only so diligent, and even the best of us will mistake a malicious email for something we thought was safe.
Application whitelisting is a highly successful option for organizations against new and evolving threats such as Crysis. All approved applications generate a unique hash value and only approved hashes are allowed to execute on workstations. Instead of attacking known malicious software (a form of blacklisting), the workstation is restricted to only executing known good applications. Applications such as Crysis that are not on the approved whitelist are stopped cold and InfoSec can be notified of their presence in the environment. By blocking all applications and only allowing for approved exceptions, threats can be drastically reduced.
Another technique for protecting PHI and confidential information is to isolate enterprise applications from workstations that are used for web browsing and email activities, which are the most likely delivery methods for malware and ransomware such as Crysis. This was typically accomplished by creating isolated networks for workstations that access applications with confidential data which are not given Internet access. Workstations with Internet access were not allowed access to access, process or store protected information. In Payment Card Industry (PCI) organizations, card data environments are required to be isolated for just this reason. As virtualization has become more prevalent and cost effective, many organizations with sensitive data are moving to desktop virtualization and published applications. Web browsing and other non-critical applications are executed on the workstation itself, thereby providing isolation between the end user environment and the enterprise applications/data. This isolation keeps malware and ransomware from accessing PHI.
Finally, more and more organizations are looking at the egress traffic flow from their networks as a valuable method to protect data and block persistent threats like Crysis. Traditional firewall rules use a whitelist for inbound traffic, where all services denied and exceptions are made for known good traffic from public networks. However, egress traffic is usually allowed to leave without interrogation. Restricting egress traffic can provide a two-fold protection: First, end users are blocked from initially accessing known malicious sites, sites that have not been evaluated for their safety, or sites that pop up specifically to distribute malware (botnets). Second, restricting egress traffic to know-good locations can shut down remote command and control channels as well as block data exfiltration from malware and ransomware. In the case of Crysis, denying outbound traffic and providing exceptions for only known good locations (whitelisting) would block the remote execution of the ransomware and keep from PHI and confidential information from leaving the organization.
Across all industries, malware and ransomware is moving from an annoyance to a data confidentiality and integrity concern that involves IT, InfoSec, Privacy and senior management teams. These threats are not new and there is no silver bullet for stopping these attacks. Changing our focus from one which allows everything and hunts for anomalies to a posture where we trust nothing and make exceptions for the activities that are authorized can dramatically reduce risks. Also, isolating applications and confidential data from end user’s web browsing and email activities will make it more difficult for malware and ransomware to gain access to data.