Frequently Asked Questions
What is ransomware?
Ransomware is malicious software that disables access to part or all of a victim’s system, typically by encryption of critical data. Ransomware is distributed through a few methods: email phishing, malicious advertisements, and exploit kits. Generally, the attacker demands a ransom in exchange for a decryption key to restore the victim’s data and/or systems. Lately, ransomware attacks have increased in the Healthcare and Public Health Sector for financial gain. An FBI bulletin provides a more detailed overview of ransomware.
Who is at risk from a ransomware attack?
Any individual or organization with important data stored on their computer or network can become a victim of ransomware. We have seen attacks on many private businesses as well as federal, state, and local government agencies. The potential effects of a ransomware attack may be particularly acute in rural or underserved areas of the country where the incapacitation of a single healthcare organization could have larger consequences.
Because attackers often use spearphishing – targeted email pretending to come from a trusted source – as a means of gaining access to a network, individual users, employees, or contractors need to be vigilant about suspicious-looking messages.
What are the impacts of ransomware?
Ransomware incidents can severely impact business processes and leave organizations without the data or IT resources they need to operate and deliver mission-critical services. This can be especially concerning for healthcare providers requiring 24/7 operational capabilities. The monetary value of ransom demands has increased, with some demands exceeding $1 million. Ransomware incidents also have become more destructive and impactful in nature and scope. The economic and reputational impacts of ransomware incidents, throughout the initial disruption and, at times, extended recovery, have also proven challenging for organizations large and small.
The impacts of a ransomware attack could include:
- Temporary, and possibly permanent, loss of sensitive or critical data. (No guarantee exists that files will be recoverable if ransomware operators receive payment.)
- Significant disruption to your organization’s ability to deliver patient care (turning patients away for a prolonged time.)
- Significant disruption to critical patient services.
- Complete shutdown of your organization’s operations.
- Financial loss associated with remediation efforts.
- Damage to your organization’s reputation.
How do malicious cyber actors use ransomware to attack their victims?
There are several means by which a ransomware attack happens. One of the most common is via a phishing campaign, in which attachments or links within an email arrive in a victim’s inbox masquerading as something they should trust. Once they’re downloaded and opened, malicious software can take over the victim’s computer. The ransomware can spread to infect multiple computers in the network, resulting in damage throughout the victim’s organization.
There are several actions that ransomware may take once it has infected a victim’s computer. However, by far, the most common result is the encryption of some or all the user’s files that render them unusable.
Who are malicious ransomware actors?
Malicious actors can be supported by nation-states trying to cause harm to critical infrastructure, or cybercriminals trying to enrich themselves. The cybercriminals can be lone wolf actors or part of organized crime syndicates.
How do I respond once I have been attacked?
Properly responding to an incident requires advance planning before an attack actually happens. The following are the most common steps, but your organization should have a well thought out response plan, involving all key stakeholders in your organization that could be affected. This site includes numerous Response tools and resources.
- Identify infected systems and their role in your organization’s operations.
- Evaluate whether the infected system can safely be removed from the network to prevent further spread.
- Determine if the affected data includes sensitive data, such as electronic protected health information (ePHI), which may require additional reporting.
- If necessary, implement backup procedures to continue operations.
- Remediate infected systems of the ransomware – rebuilding systems from trusted media and restoring data from safe and secure backups is likely the safest path.
- Report the infection to relevant authorities if required by law and/or regulation or as deemed appropriate by your organization. Also consider involving incident response companies, and/or industry threat intelligence sharing groups.
What can I do to protect my organization from ransomware?
There is no surefire method, so preparedness and advance planning are critical.
- Back up all critical data regularly and retain multiple copies of sensitive or proprietary data. These backups should be safely isolated from normal systems and protected against illicit access. Keeping current backup copies off site is highly recommended. Test backup restoration regularly to ensure that the saved data can be successfully restored in case of an emergency.
- Prepare and test regularly an alternative means to operate critical processes without the normal computers and/or networks used for day-to-day operations.
- Create and implement an appropriate incident response and recovery plan to prepare for a ransomware attack.
- Implement user awareness and training. Because end users are often the primary target, raise employees’ and stakeholders’ awareness of the ransomware and phishing threats.
- Patch operating systems, software, and firmware as soon as manufacturers release security updates as quickly as possible, while still following your organization’s policies and procedures for testing before installation.
- Set antivirus and anti-malware solutions to automatically update.
What are other best practices for Medical Device Cybersecurity against ransomware?
Many of the same steps apply for medical devices. However, there can be limitations to the operator’s access to these systems. For more details, please review and implement the steps, as applicable, in the MITRE Medical Device Cybersecurity: Regional Incident Preparedness and Response Playbook. See also the NIST Healthcare Sector Cyber Security Site.