On October 28th, 2020 multiple government agencies released a joint alert regarding “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers”. The alert covers specific details for two common versions of ransomware, Trickbot and Ryuk. It also goes into more general procedures for mitigating the risk of and recovering from ransomware.
A copy of the advisory is available from US-Cert here: https://us-cert.cisa.gov/ncas/alerts/aa20-302a
All of the recommendations are important but some highlights are below:
Policy and procedure:
- Have and regularly review business continuity plans and procedures
- Regularly test these plans to identify gaps in protection or potential efficiencies to reduce the impact from a security incident
Network and infrastructure:
- Restrict administrative access to meet least privilege practices
- Require multi-factor authentication where possible, especially on Internet-facing systems
- Keep systems’ security patching up to date
- Remove any unused remote access solutions and review security configuration for active remote solutions
- Regularly update and scan with antivirus and anti-malware solutions
- Have a plan for audit logs and regularly review them
Backups:
- 3-2-1 backups methodology
- At least one offline, air gapped and password-protected copy
- Have a tested recovery plan, including recovery time objectives
User awareness and training:
- Security awareness training for all users, including who to contact if they see something is critical
Review the advisory and other CISA guidance on ransomware on what you can do to reduce your risk and have a quicker recovery.
