Ransomware can act with amazing speed, says John Ford
, cyber strategist with IronNet, a cybersecurity company based in McLean, VA. He once worked with a company that was attacked with ransomware, and more than 1,000 machines were affected in less than 90 seconds, he says.
“You have to be able to get systems back up and running. So if it goes on for a very long time like a week or two, that’s an indicator that the backups were an issue,” he says. “The recent attack shows that you must always stress the importance of staff members not opening any mail that could be a phishing attempt.”
“With COVID, people are very overworked and stressed. When you take that kind of environment and present a ransomware attack, there is a huge risk someone is going to let their guard down and let that attack into the hospital system,” Ford says. “Before you know it the computer terminals are shutting down, the radiology units, everything is going offline, and people can’t do their jobs.”
Ford recommends tabletop exercises to let hospital leaders run through the protocols for how to respond to such an attack in real time, looking for any uncertainty or practical problems in executing it.
“Ransomware is not just about the security team. It’s about everyone else affected by the ransomware and how they try to do their jobs while you sort this out,” Ford says. “They have to know what to do.”
Ford says he expects to see a great deal more of the ransomware attacks that hit the U.S. healthcare system.
“It’s a perfect business model for the bad guys. There is very little barrier to entry, and limited or no competition,” Ford says. “You don’t need a phenomenal skill set, and the return on investment is significant. We followed one hacker who acquired the credentials for a U.S. health-
care provider for $300 in Bitcoin. Later that week they hit an entity that paid $150,000 in ransom. That’s a pretty good return.”