make a good business better

Resource Center better insights

Print Divider Print Divider Branding
 

Ransomware: A virus that wants money from hospitals—and grandma

05/16/2017

Share

Social Logo Social Logo Social Logo Social Logo

As featured in the Tennessean

Hackers last week clogged up computers and networks around the world with a malicious software. The fast-moving virus was notable to experts for how swiftly it moved.

Some malicious software, known as malware, is designed to take over an army of computers for "bad guys" to use as a weapon while other malware is designed to steal data, said Mark Burnette, a cybersecurity expert with LBMC Information Security. In this case, the "bad guys" wanted money.

The malware relies on people falling prey to corrupt links, which allow the virus to infiltrate the system.

Here's a rundown on how it works, why companies — particularly in the health care sector — are at risk and steps that can prevent an attack.

What is ransomware?

It's a variant of malware. It takes data hostage by encrypting the hard drive of a computer and then offers the chance to get the code to unlock the computer in exchange for money. 

In the case of WannaCry, the malware that infected computers around the world on Friday, the cost was about $300 per locked computer. However, there's no guarantee the victim will receive the code to unlock the computer, said Burnette. He said that there was about a 50 percent chance of getting the passkey with WannaCry.

"The bad guys are simply looking for payment. They don’t want the computer. They don’t want the data. They just want money," said Burnette, whose phone has been ringing since Friday for people with questions about how to protect their company's systems.

How does it work?

In this case, WannaCry — a derivative of the file name wanacrypt0r — preyed on a hole in Microsoft's Windows operating system. Ransomware could infect any computer but most of today's viruses are infecting computers running Windows, said Burnette. 

WannaCry is "wormable," meaning it doesn't require the user to take action; and once the trojan link is clocked then the virus, connected to the larger network, will search for other computers that had the particular vulnerability.

For many companies, the prospect of data being held hostage is enough to warrant paying the ransom. As in movies about kidnappers, law enforcement officials advise people not to pay. But for companies, particularly health care companies, lost data is a cybersecurity nightmare, said Tony McFarland, attorney at Bass Berry & Sims. 

Many organizations might say ‘oh it's worth it.’ "That’s one of the reasons why the bad guys are making it ‘ affordable,’" said Burnette.

Who is at risk?

People with Windows computers are more at risk than Mac users although there are viruses that impact Apple's operating system, Burnette said. 

Anyone should be cautious of attachments they didn't expect or links that look suspicious. 

"The ransomware doesn’t care whether it’s a work computer or grandma’s computer," said Burnette.

The surprising part of WannaCry is how swiftly it moved and infected computers globally. Malware is common, but WannaCry received so much attention because "it's so rare for it to have such a scope," said McFarland.

Healthcare companies especially at-risk

Health care providers are particularly a target because they are the keepers of medical records — the lifeblood of health care, said McFarland. And the hackers know that.

"If the information has been held hostage and the more important the information is to you, the more likely you’re going to pay," said McFarland. "That’s one reason why health care companies are such good targets. They have less ability to not pay. And the attackers know that – they are smart people.”

Large companies, including hospital operators, health systems and data analytics firms, are generally prepared to detect and fend off attacks, said McFarland. A widespread attack such as WannaCry is often a reminder to continually train employees and patch, or "harden," holes in the system. 

"This particular variant of malware serves as a reminder to those companies that they have to stay diligent all the time," said McFarland. "It’s a little , ‘For the grace of God, go I.'"

But smaller or less-tech savvy firms, ranging from provider practices, small hospitals and other practices that keep medical records, are more vulnerable to attacks such as WannaCry, said McFarland. Smaller, and often leaner, firms may not have trained all the employees with computer access on what to watch for. Or the practice may rely on a single bookkeeper with a single computer for processing billing and payments. 

Typically smaller less sophisticated health care entities are more at risk here "because they could lose their practice overnight if all their patients lose confidence"in their ability to safeguard records, said McFarland. 

Easy steps make companies — and regular people! — less likely to be victims

Don't think the bullet is dodged if WannaCry didn't get you.

"Even though this seems now to be contained it wouldn’t take much, a small variant in the malware, to resurrect this problem so people shouldn’t get complacent," said McFarland.

  • Keep software updated. Patches are rolled out all the time and are free. Set the computer up to install automatically. Fixing holes in the system is the equivalent of locking your home's front door, said Burnette. 
  • Train people to look for suspicious attachments and links. Clicking a weird link or opening a strange document is the same as looking out the window when there's a knock at the door, without recognizing or expecting someone and opening the door anyway, said Burnette.
  • Regularly back up your computer's hard drive so the information is elsewhere, thus reducing reliance on a single hard drive. Ransomware's only "value is to prevent you from having access to your data," said McFarland.
  • Establish an emergency response system in place that includes a chain. of command of notification. Early steps would be ensuring people know what to look for and how to react, i.e. alerting the IT department, when the encryption process begins if a ransomware virus takes hold
  • Turn off features, such as email capabilities on a server, that aren't being used. 

Reach Holly Fletcher at hfletcher@tennessean.com or 615-259-8287 and on Twitter @hollyfletcher.