A highlight of the annual Global Network & Application Security Report is always the deep case studies. Each year, we work closely with a customer that has made the difficult, but admirable decision to shine a light on their experiences as a victim of a cyber-security attack. By sharing, these customers can help others prepare for what now is sadly an inevitable experience for many companies.
Of late, I’ve noticed an interesting intersection from the featured case studies of the past two years that on the surface seem to have very little in common. In 2015, the report profiled an advanced attack against the Boston Children’s Hospital and this year the case study chronicled a ransomware attack against the encrypted email provider ProtonMail. The Presbyterian Medical Center attack sought to leverage the same fears (interruption of medical care) as the Boston Children’s attack, but with a motive that mirrors ProtonMail’s ransom attack (financial gain).
Therein lies the connection – the malicious targeting of an provider of medical services (including emergency medical services) acts as the anchor point for an argument that ties the Protonmail and Boston Children’s Hospital attacks together.
Ransom Attack Profiles
The ProtonMail case study reinforces a key piece of data from the survey results, that specifically there has been a 50% increase in ransom as a motivation for attackers. This increase grew from 16% in 2014 to 25% in 2015. These ransom attacks are on the rise for a number of reasons. First, the ease of access and relative low cost of launching disruptive attacks makes the motive of immediate financial gain attractive. So too does the increased ease of masking the source of attacks through spoofing IPs or accessing targets via a CDN or global NAT that will obfuscate the exact attacking resources as part of a broader network.
In November 2015, ProtonMail experienced consecutive attacks initiated with a ransom request by a new hacker group, The Armada Collective. Hoping to stop the attacks, ProtonMail paid a ransom, only to see the attacks continue with volumetric and burst attacks combining application and network vectors. These advanced DDoS attacks included volumetric attacks over 100 Gbps as well as application layer attacks. The attacks also included multiple encrypted attack vectors including SSL SYN flood attacks that required advanced behavioral analysis to identify malicious traffic and maintain legitimate encrypted traffic flows. In the end, ProtonMail found the only real solution was the use of advanced DDoS mitigation technology to provide sustained protection.
In the previous year’s report, we told the story of Boston Children’s Hospital, which became the target of intense attacks in April 2014. The motive here, however, was different. The attacks stemmed from publicity around a high-profile child-custody case in which a 15-year old girl with a complex diagnosis was taken into custody by Massachusetts protective services. Boston Children’s Hospital was providing care to the girl and so got embroiled in the controversy.
Hence the connection back to the more recent attack against the Presbyterian Medical Center. According to the hospital and their coverage, the attack did cause disruption, though reportedly not patient care compromise. One of the more alarming aspects of the coverage of the attack was at least one security expert suggesting that when faced with a ransom attack “it’s usually cheaper to pay the ransom than fix the problem.” That’s disturbing advice. Even if you dismiss the potential scenario that attacks will continue past the point of payment, the idea of not addressing the systemic issue should be purged from IT and security team’s thinking, not encouraged.
While the attack against Presbyterian Medical Center has died down from a mass media perspective, speculation continues as to the source of the breach. One strong possibility is that it stemmed from a JBOSS vulnerability within a medical device being used within the hospital, as this vulnerability has been exploited previously in a hack of Hospira MedNet a year ago. This highlights the potential impact of IoT and hack-prone devices being connected to networks that access sensitive data to administer critical care.
Prepare for More Emotional Exposure Tied to Ransom
For many years, the discussion around ransom attacks and how to respond centered on three main factors: credibility of the threat, identification/cost of remediation (i.e., solving the actual security problem), and the impact of breach, outage, or core threat. This last piece has typically been a business assessment, but how do the dynamics of ransom attacks change when the implications of not avoiding the impact (perhaps through payment, but more effectively through improved security) become more of an emotional or even life or death situation? We saw the potential of this type of threat with the Ashley Madison hack where numerous organizations approached names on the list claiming they would remove them from the list for some fee.
There are ebbs and flows in the motives behind modern cyber-security attacks. But there is no denying that old line that “money is the root of all evil” and that attacks tied to financial gain, either overtly or covertly are starting to take advantage of our increased dependence on the network. IoT promises to only accelerate the aspects of our day-to-day lives that are wholly network-dependent. Incidents like the Presbyterian Medical Center attack highlights to all of us, the importance of pushing the security controls to a level where we can be confident that a ransom threat won’t force us to respond emotionally.