FBI: Do Not Pay Ransom in Ransomware Attacks; Focus on Prevention Efforts, Contingency Plans | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

FBI: Do Not Pay Ransom in Ransomware Attacks; Focus on Prevention Efforts, Contingency Plans

May 6, 2016
by Heather Landi
| Reprints
Click To View Gallery

The FBI does not support paying a ransom in a ransomware attack, as it doesn’t guarantee that organizations will get their data back. Instead, organizations should focus on prevention efforts and developing a business continuity plan in the event of an attack, according to a recent FBI blog post.

While ransomware has been around for a few years, law enforcement saw an increase in these cyber attacks in 2015, and it’s likely that the number of ransomware incidents and the ensuring damage they cause will grow even more in 2016, the blog post stated.

This past year saw hospitals, school districts, state and local governments, law enforcement agencies and small and large businesses targeted by ransomware attacks. Ransomware is a type of malware that encrypts, or locks, valuable digital files and demands a ransom to release them. And, the FBI notes that ransomware attacks are dangerous because the inability to access important data can be catastrophic in terms of the loss of sensitive or proprietary information or the disruption to regular operations, such as the disruption of electronic medical records (EMR) systems in hospitals.

So far this year, several hospitals, including Hollywood Presbyterian Medical Center and the 10-hospital MedStar Health system based in Columbia, Maryland, were purportedly victimized by ransomware attacks which locked clinicians out of the EMR/EHR systems. In these instances, the loss of patient data can impact patient care.

“If the first three months of this year are any indication, the number of ransomware incidents—and the ensuing damage they cause—will grow even more in 2016 if individuals and organizations don’t prepare for these attacks in advance,” the FBI stated in the blog post.

The FBI post also details how ransomware attacks occur. Typically, it involves a computer user opening an email or attachment that appears legitimate, or clicking on a legitimate-looking URL, yet it actually contains malicious ransomware code or connects to a website that infects the computer with malicious software. The malware then begins encrypting files and folders on local drives, any attached drives, backup drives, and potentially other computers on the same network.

“Users and organizations are generally not aware they have been infected until they can no longer access their data or until they begin to see computer messages advising them of the attack and demands for a ransom payment in exchange for a decryption key. These messages include instructions on how to pay the ransom, usually with bitcoins because of the anonymity this virtual currency provides,” the FBI wrote.

And, the FBI states that ransomware attacks are becoming more sophisticated, using spear phishing emails targeting specific individuals. And, some cyber criminals aren’t using emails at all.

“These criminals have evolved over time and now bypass the need for an individual to click on a link. They do this by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers,” according to FBI Cyber Division Assistant Director James Trainor, as quoted in the blog post.

The FBI also stated that it does not support paying a ransom in response to a ransomware attack. Trainor said, “Paying a ransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”

The FBI recommends that organizations focus on two main areas— prevention efforts, both in terms of awareness training for employees and robust technical prevention controls; and the creation of a solid business continuity plan in the event of a ransomware attack.

The FBI offered the following guidance:

Prevention Efforts

  • Make sure employees are aware of ransomware and of their critical roles in protecting the organization’s data.
  • Patch operating system, software, and firmware on digital devices (which may be made easier through a centralized patch management system).
  • Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans.
  • Manage the use of privileged accounts—no users should be assigned administrative access unless absolutely needed, and only use administrator accounts when necessary.
  • Configure access controls, including file, directory, and network share permissions appropriately. If users only need read specific information, they don’t need write-access to those files or directories.
  • Disable macro scripts from office files transmitted over e-mail.
  • Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations (e.g., temporary folders supporting popular Internet browsers, compression/decompression programs).

Business Continuity Efforts

  • Back up data regularly and verify the integrity of those backups regularly.
  • Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.

 

“There’s no one method or tool that will completely protect you or your organization from a ransomware attack,” Trainor said. “But contingency and remediation planning is crucial to business recovery and continuity—and these plans should be tested regularly.”

If an organization believes it has been the victim of ransomware, organization leaders are encouraged to contact a local FBI field office and report the incident to the Bureau’s Internet Crime Complaint Center.

 

Get the latest information on Staffing and Professional Development and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More

Topics

News

Community Data Sharing: Eight Recommendations From San Diego

A learning guide focuses on San Diego’s experience in building a community health information exchange and the realities of embarking on a broad community collaboration to achieve better data sharing.

HealthlinkNY’s Galanis to Step Down as CEO

Christina Galanis, who has served as president and CEO of HealthlinkNY for the past 13 years, will leave her position at the end of the year.

Email-Related Cyber Attacks a Top Concern for Providers

U.S. healthcare providers overwhelmingly rank email as the top source of a potential data breach, according to new research from email and data security company Mimecast and conducted by HIMSS Analytics.

Former Health IT Head in San Diego County Charged with Defrauding Provider out of $800K

The ex-health IT director at North County Health Services, a San Diego County-based healthcare service provider, has been charged with spearheading fraudulent operations that cost the organization $800,000.

Allscripts Touts 1 Billion API Shares in 2017

Officials from Chicago-based health IT vendor Allscripts have attested that the company has reached a new milestone— one billion application programming interface (API) data exchange transactions in 2017.

Dignity Health, CHI Merging to Form New Catholic Health System

Catholic Health Initiatives (CHI), based in Englewood, Colorado, and San Francisco-based Dignity Health officially announced they are merging and have signed a definitive agreement to combine ministries and create a new, nonprofit Catholic health system.