Kidnapping in cyber space
On the 31st October 2021, the digital infrastructure of Handa Hospital in Tsurugi Town, Tokushima Prefecture, was kidnapped by cyber criminals.
Let’s pause a second: how does one kidnap a hospital? The answer is: hold its data hostage.
The act of taking the digital assets of an organization hostage is called “ransomware” by the cyber security industry. And whilst ransomware is usually surrounded by an aura of mystery to most people, as some obscure technical concept, it is actually pretty straightforward. Just like a criminal might kidnap a group of school children in the hope of receiving a big payment from their loved ones in exchange for their release, so do cyber criminals take or encrypt data from organizations hoping that they will be paid by the rightful owners for giving it back. The economic drivers and malicious intent behind both acts are the same.
The criminals behind all kinds of ransom are mostly highly intelligent individuals, who choose to use their skills not to add value to the rest of human society, but to harm, steal, and even destroy lives in order to benefit themselves. This realization brings Blackpanda to the Japan market, to defend businesses against the ever-evolving cyber threat landscape.
Over the past two years, the pandemic has notoriously put enormous strain on the healthcare sector worldwide. In turn, this has challenged its cyber response capabilities, making it an appealing target for cyber attacks. In particular, ransomware attacks on the healthcare system aim to mine patients’ personal information or disrupt facilities’ operations, knowing that such facilities will likely agree to large ransom payouts as they are constantly under pressure to save lives.
Handa Hospital’s analog response
Handa hospital is a small facility serving a humble town of fewer than ten thousand people. Still, at the time of the attack, the hospital stored over 85,000 digital records of patients from across the region.
The attack was carefully orchestrated by the threat actor, who succeeded in penetrating Handa’s networks with the powerful LockBit ransomware strain. After mapping out the vulnerabilities of the hospital’s computer network, the threat actor found that remote desktop protocols (RDP) were poorly protected. Namely, the IT systems at Handa Hospital allowed a third-party contractor to access their networks over a virtual private network (VPN). By discovering the vendor’s VPN password, the threat actor was able to establish a foothold in the organization and escalate privileges. This demonstrates clearly how vulnerable anybody can be even through any of the countless 3rd party vendors connected, and why Blackpanda promotes and offers cyber security due diligence as part of vendor accreditation.
Handa Hospital’s response to the cyber attack was one of a kind, and certainly inspired the global cyber security community to reconsider how resourceful critical organizations such as hospitals can be in times of crisis. However, with a good cyber incident response plan in place, Handa could have fought the attack with much more ease and agility.
Handa’s response followed their internal Business Continuity Plan (BCP). A BCP aims to resume the normal business operations of a company with as little disruption as possible in the occurrence of a significant event.
A major shortcoming of Handa’s BCP was that it did not include a cyber attack as a potential disaster scenario. Cyber attacks are in fact the most likely critical disruption to an organization today, being 1000 times more likely than a fire.
Instead, Handa applied the BCP’s directives to respond to an earthquake disaster scenario, which required resorting to analog measures. This included changing back to paper records and disconnecting their servers from the network. During the computer system outage, this in fact succeeded in containing the outbreak, as the ransomware could not spread from one endpoint to another without network connection.
Indeed, analog or fundamental processes are perhaps the most fail-safe ransomware containment measures, as they effectively block the cyber attack and preserve the system health of untouched endpoints.
As a company that is born and inspired by physical security, this reminds us of how Osama bin Laden evaded the US government, military, and various international law enforcement agencies for over ten years. Whilst these had limitless budgets and capabilities, Osama bin Laden was able to survive for so long by completely canceling himself out of the digital world and operating entirely in an analog fashion. This made him essentially undetectable, with Special Forces relying mainly on the most advanced technological tools to seek him out.
Given these considerations, Blackpanda applaud Handa Hospital’s dexterity and adaptive thinking in applying earthquake disaster plans to sustain a vital minimum level of operational capability in the face of such a devastating cyber ransomware attack. Still, we feel it is our duty to point out some major shortcomings in Handa’s approach, as these severely endangered its survival and should be avoided in the future at all costs.
Handa Hospital’s RDP and VPN vulnerabilities were responsible for the penetration of the threat actor into their systems. At Blackpanda, we find exposed RDP and unsecure VPN access to systems to be pervasive exposures in the time of COVID. These are in fact the leading root cause of incidents.
Taking advantage of the low-hanging fruit like weak passwords or careless security configurations is easier than phishing susceptible employees or crafting an exploit on a software vulnerability. Unless the VPN whitelists incoming connections or enforces high-fidelity multi-factor authentication (MFA), it is very difficult to detect or prevent unauthorized logins from an attacker using the correct stolen credentials. Having an adequate MFA access system in place is thus crucial to protecting organizations that employ RDP as part of their business processes.
The BCP, which was devoid of cyber countermeasures, amplified another shortcoming, which came with the employment of imprecise measures to confirm the security of certain endpoints.
An estimated 40 out of 200 systems at Handa Hospital were infected with LockBit ransomware. Handa did not perform a forensic sweep or active threat hunt on the 160 remaining systems, and merely determined their infection status by installing and running a free-antivirus scan. Traditional antivirus however does not do a good job of finding modern malware or advanced attack techniques, as it works by matching viruses to its pre-compiled list of known strains. Nowadays, malware strains are continuously evolving to evade this search, so it becomes impossible to unveil all malware dwelling on the endpoint. A better approach is to install behavioral Endpoint Detection and Response AI tools like SentinelOne or Crowdstrike—which instead of simply matching file names actually observe the suspicious behavior of applications—and active threat hunting conducted by specialists.
This containment misstep stands out as a major oversight on Handa's part. An attacker often aims to maintain persistence past the window of response especially if the victim fails to rotate all credentials. Even though the organization's recovery efforts seem complete, a persistent threat can resurface even worse in the future, as they are equipped with knowledge of the newly rebuilt network.
We believe that one of the first steps to recovery should have been to rebuild the Active Directory (AD) instance in their environment. This is crucial as we know that the attacker gained access through stolen VPN credentials, giving us no choice but to assume every password or token in use across the entire organization was compromised. Blackpanda recommends rebuilding the Domain Controller following a confirmed attack on a credentialing system like AD.
Another mistake we noticed on Handa’s behalf was that the computers that did not show signs of infection were allowed to remain online and in-use following the attack. If the entry vector to the network was one of these un-scrubbed systems, this left a backdoor into the network open for the attacker. It is crucial to identify and clean pivot points—that is, servers or systems that connect one phase of an attack to the next—by performing a full reinstallation of the operating system. Without this step, it is only a matter of time before an attacker will return to extort the victim once again.
As digital forensics and incident response specialists, we would like to present what would have been a more practical response strategy to quickly isolate and eradicate the malware. By making an upfront investment in cyber security subject matter experts as well as having the right cyber security insurance and a Tier I “firefighters” like Blackpanda on 24/7 standby, Handa could have offset the over 1.76M USD it had to spend to rebuild its network infrastructure, and returned to full business capacity sooner—treating more patients in need of urgent medical assistance and saving a vast majority of their costs due to remediation and damage.
Hospitals as a major ransomware target during COVID
Over 17 healthcare facilities in Japan were subject to cyber attacks in the last six years. Six of these attacks happened in 2022 alone. One of these occurred on the 21st of June 2022, when Naruto Yamakami Hospital fell victim to ransomware. Another happened days later, on the 4h of July, at Yasue Hospital in Kagamijima-nishi. This incident temporarily prevented access to its electronic medical record system for more than 110,000 patients.
The digitalization of the healthcare system—including the adoption of new IOT technologies to enhance remote care—has brought more challenges than anticipated. The biggest amongst these challenges are cyber attacks, which have been misclassified as low priority threats. Threat actors have gotten increasingly sophisticated in their techniques, and the attacks have become more frequent. Most of all, ransomware has become the most common cyber attack, and likely wll be for the foreseeable future, and are existential crisis for the victims, similarly to how somebody’s life is in imminent jeopardy if they are kidnapped, regardless if there is a negotiation ongoing.
Healthcare has a fragile digital infrastructure. It is estimated that 83% of medical imaging devices are running on unsupported operating systems (Unit 42 - Palo Alto Networks, 2020). On top of the widening of the healthcare security perimeter with new IOT technologies, security-by-design does not apply to legacy systems and is difficult to achieve with the multiplication of connected endpoints, and supply chain resilience is still running behind.
Ransomware in particular creates not only an immediate risk to patient care but has also a long-lasting impact on healthcare organizations. On one hand, ransomware attacks put the lives of those patients who depend on healthcare technologies at enormous risk. The loss of access to medical records and life-saving medical devices hinders effective care for patients. This is especially notable in the immediate term but can have a long-lasting impact on patients who then might struggle to get the medical support they need because of communication interruption and loss of records.
On the other hand, healthcare organizations suffer from costly and time-consuming disruption, requiring funding to recover and improve their systems, retrain staff, and manage reputational damage. This is especially true as the ransomware business model constantly evolves, with innovations such as Ransomware-as-a-Service, double extortion, and an increased sense of community among cyber criminals, who collaborate on darknet for sharing information in order to minimize the research needed to carry out an attack and maximize financial gains.
Healthcare cyber security is greatly under-financed. The introduction of groundbreaking technology during the pandemic was not matched with an upsizing and upskilling of the cyber security teams put in place to protect them is one of the vulnerabilities of hospitals during COVID-19. This means that those who are responsible for cyber incident response in the healthcare sector are few and untrained to respond to the evolving threats the sector is subject to. Effectively, if a hospital is attacked under such high-stress conditions, and there is no appropriate plan to respond to such an incident, healthcare organizations have no choice but to pay the ransom. This may be because they do not have access to vital medical equipment, which they desperately need to stop their patients from dying. To make things worse, many organisations do not have the experience to successfully complete a crypto payment, making the transactions prone to errors.
These are some of the reasons why the healthcare sector is the most vulnerable to ransomware attacks, and also the most urgent to protect, as not just money but also human lives are at stake.
Expert incident handlers are key for rapid ransomware response
Falling victim to ransomware is stressful and emotional, and traditional IT specialists are often unequipped to handle the extensive set of actions that need to be taken in response to the attack. On the other hand, engaging an experienced incident response company such as Blackpanda provides invaluable help in containing the attack, eradicating the malware, and restoring business as usual, all whilst managing public relations, negotiating with the attackers, and ensuring safety and legality throughout. Incident response specialists are trained to mitigate the effects of an incident in a timely and organized manner, including analyzing the intrusion, containing the impact, investigating the root cause, and remediating the issue with maximum efficiency and minimal business interruption.
When engaged before an attack takes place, Blackpanda is able to support the organization in defining a clear incident response (IR) plan. This will list step by step what actions need to be performed in the event of a breach, and can be rehearsed by all staff much like a fire drill, enabling teams to react in a controlled and proven manner, saving precious time and resources following an attack.
When the breach takes place, the incident handlers jump in on the site of the attack—either remotely or in-person—and start by collecting key information about the organization’s requirements, payment expectations, goals, and deadlines by which business operations must resume. Specialists then request information about the first known compromise and the exact timeline of events to support their digital forensics investigations.
The ransomware defense process by incident response specialists proceeds in two parallel streams to ensure the most rapid and effective response possible. On one side, the technical team works to secure the system and recover as many files as possible; on the other, crisis managers run ransom negotiations, aid in creating secure crypto payment accounts, and ensure legal compliance in coordination with both domestic and international law enforcement, as usually necessary.
The technical team carries out a variety of highly complex procedures to contain and eradicate the malware, including network security—providing guidance on what needs to happen next in terms of network segregation, physical device actions, and more—eradication and loss mitigation—quarantining the ransomware and recovering as much data and as many digital assets as possible— digital forensics—attempting to reverse engineer the malware and identifying decryption keys to unlock data without resorting to paying the attackers.
If the incident responders fail in independently decrypting the captured files, they conduct proof of life exercises to assess the authenticity of decryption keys provided by the attackers. This is key as in 2020, 17% of ransom payers did not receive a working key to unlock encrypted data. Finally, the IR team recovers the encrypted files while ensuring that the network is secured in order to prevent further attacks. Equipped with the correct key, IR specialists will help decrypt all data, restore system health, and ensure that the malware and its root cause are fully eradicated.
On the crisis management side, Blackpanda incident responders support the organization in ransom negotiation—serving to achieve improved outcomes and providing the time and intelligence necessary for organizational leadership to make informed decisions—and ransom payment facilitation—setting up cryptocurrency payment accounts for the organization and ensuring that all transactions are fully verified, transparent, secure, and auditable.
Alongside this, the responders offer support for reputational damage mitigation—working with trusted partners who can promptly support organizations in communicating with media and press outlets—and reporting and compliance with local authorities and law enforcement agencies as liaisons.
All these are critical features that a good incident response strategy should include. Whilst they are time and resource-consuming for organizations like a hospital to seamlessly put in place, they can be easily outsourced to an expert ransomware provider, saving time, money, resources, and lives in the event of a ransomware attack.
The resilience that Handa Hospital demonstrated in operating in the face of a Lockbit ransomware attack is admirable. The adaptation of a BCP devoid of cyber countermeasures was conducted intelligently, and we surmise that lives may have been saved due to the efforts of the staff.
The rising trend in ransomware attacks—in particular vicious attacks to hospitals during the COVID pandemic—is threatening our critical infrastructure and lives. Thus, adequate cyber attack preparation efforts and investment are key.
Engaging a professional cyber security incident response firm like Blackpanda, is the most effective and efficient way to ensure that breach response is timely and successful, all whilst minimizing the damages that a breach will inflict and reparation costs. Incident response specialists have a deep understanding of different ransomware tools and techniques, the actors and motives behind an attack, as well as the competencies of the attackers. This contributes to the achievement of an acceptable and normative level of safety.
Blackpanda is close to Handa Hospital in this hard time, and is driven by the conviction that protecting essential infrastructure from heartless cyber criminals is our foremost duty.