Ransomware Protection Best Practices
During the last few weeks of October 2020, we are seeing an increase in cybercrime, especially ransomware involving healthcare organizations. Ransomware is a form of malware that enters a computer or technology network, encrypting and blocking access to all data until a ransom demand is negotiated and met. Often the demands have deadlines, threatening a complete loss of data if payment is not received by a specific date and time.
Recently, The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Department of Health and Human Services (HHS) stated that they have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers. The CISA, FBI, and HHS joint advisory provided a ransomware response checklist that can serve as a ransomware-specific addendum to an organization’s cyber incident response plan. Some of the ransomware protection best practices from this checklist include:
- Maintain offline encrypted backups of data and to regularly test your backups. Backup procedures should be conducted on a regular basis.
- Create, maintain, and exercise a basic cyber incident response plan and associated communications plan that includes response and notification procedures for a ransomware incident.
- Conduct regular vulnerability scanning to identify and address vulnerabilities, especially those on internet-facing devices, to limit the attack surface.
- Regularly patch and update software and operating systems to the latest available versions.
- Ensure devices are properly configured and that security features are enabled. (e.g., Remote Desktop Protocol [RDP] – Transmission Control Protocol [TCP] Port 3389).
- Disable or block Server Message Block (SMB) protocol outbound and remove or disable outdated versions of SMB. Disable SMBv1 and v2 on your internal network after working to mitigate any existing dependencies.
- Block all versions of SMB from being accessible externally to your network by blocking TCP port 445 with related protocols on User Datagram Protocol ports 137-138 and TCP port 139.
- Implement a cybersecurity user awareness and training program that includes guidance on how to identify and report suspicious activity (e.g., phishing).
- Implement filters at the email gateway to filter out emails with known malicious indicators, such as known malicious subject lines, and block suspicious Internet Protocol (IP) addresses at the firewall.
- To lower the chance of spoofed or modified emails from valid domains, implement Domain-based Message Authentication, Reporting and Conformance (DMARC) policy and verification.
- Consider disabling macro scripts for Microsoft Office files transmitted via email. These macros can be used to deliver ransomware.
Ensure antivirus and anti-malware software and signatures are up to date. - Use application directory allowlisting on all assets to ensure that only authorized software can run, and all unauthorized software is blocked from executing.
- Consider implementing an intrusion detection system (IDS) to detect command and control activity.
- Understand that adversaries may exploit the trusted relationships your organization has with third parties and MSPs.
- Employ multi-factor authention (MFA) tools for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
- If you are using passwords, use strong passwords and do not reuse passwords for multiple accounts.
- Apply the principle of least privilege to all systems and services so that users only have the access they need to perform their jobs.
- Employ logical or physical means of network segmentation to separate various business unit or departmental IT resources within your organization as well as to maintain separation between IT and operational technology.
In summary, healthcare organizations should have a coordinated strategy for their incident/breach management and response plans, disaster recovery plans, business continuity plans, and organizational emergency management and response plans. While all organizations are vulnerable in this new world of cyber threats, there are a variety of ransomware protection best practices organizations can take to reduce the risks of a successful ransomware attack and build cyber resilience.