• Ransomware
  • Bitpaymer’s offspring disrupts hospitals

    A variant of Bitpaymer ransomware’s been breaching hospital’s ICT. It’s been in Scotland’s Lanarkshire Trust, previously breached earlier this year by WannaCry, reported on eHNA. Some operations were cancelled, GPs’ work disrupted and patients asked to attend Accident and Emergency only if their needs were essential. ZDNet has a report saying systems were taken offline. Perpetrators say they’ve gathered "private sensitive data."

    Unlike most hacks that prefer to be covert, ransomware makes contact with users to ask for a ransom in return for a decryption key. The ransom request was very high, some 50 bitcoins, about £168,000, US$218,000. Failure to pay may result in the cyber-crooks sharing data they’ve acquired.

    ZDNet has short ransomware guide. Ransomware: An executive guide to one of the biggest menaces on the web. Other guides are Remove All Threats has a guide on removing Bitpaymer. Protect PC Health has a guide too. Both are for PCs.

  • WannaCry and NotPetya don’t need eHealth users

    Africa’s health systems need to match ransomware attacker’s sophistication. Neither Wanna Cry nor Not Petya, the latest types of attack, relies on files and users’ clicks to open email attachments. Instead, they seek systems vulnerabilities to access and spread across networks. Barkly, a cyber-security firm, describes it as misusing legitimate system tools and processes. Unlike previous methods of using suspicious executables, the new wave can avoid scrutiny from some cyber-security products. A Barkly’s video shows how they work.

    Its solution includes:

    Learn how cyber-attackers exploit tools to spread ransomware without files and  interaction instead of phishing emailsKnow why attacks that don’t use interaction are becoming more popular, with two thirds of ransomware in Q1 2017 using the Remote Desktop Protocol (RDP) from Microsoft.Test your security against fileless attack scenarios using a malware simulation tool.


    This approach may help Africa’s eHealth programme to step up their cyber-security measures for ransomware. Simulation’s better than dealing with a ransomware aftermath.

  • Is NotPetya a shift in ransomware’s goals?

    After Wanna Cry, came NotPetya. A report from Forbes says it’s not typical ransomware that aims to make illicit money. It describes it as more devastating. It can inflict permanent damage to data and hard drives.

    The Grugg, a research outfit, says NotPetya looks like Petya, ransomware. There’s code sharing, but Petya was a criminal, money-making enterprise. NotPetya’s designed to spread fast and cause damage under a plausible ransomware front. The Grugg says it was a direct attack on Ukraine.

    It spread to organisations globally, so what does it mean for Africa’s eHealth? First, it could be collateral damage to an offensive cyber-attack on an external country. Next, it emphasises the need for regulate backups not connected to the eHealth networks. Third, it’s vital to keep systems and anti-virus and cyber-security services up to date with the latest upgrades and updates.

    As a shift in emphasis for ransomware, NotPetya means that cyber-security measures and performance have to be increasingly effective and vigilant. It looks like there’s more and worse to come. 

  • Symantec’s issued advice about WannaCry

    Now that the dust from WannaCry’s receded, but may not yet be settled, more information’s emerging. It’s an important part of Africa’s eHealth programmes build-up of cyber-security defences. 

    Symantec, the cyber-security firm says it’s confident it can beat WannaCry. The virulent ransomware strain breached hundreds of thousands of computers worldwide since it emerged on 12 May 2017. It’s much more dangerous than other ransomware types because it can spread rapidly across an organisations’ networks by exploiting vulnerabilities in Windows not patched by the Microsoft release MS17-010 in March 2017. The exploit, Eternal Blue, was released online in April as part of a series of leaks by the Shadow Brokers group that claimed it stole the data from the Equation cyber espionage group. 

    WannaCry searches for and encrypts 176 different file types, and appends .WCRY to the end of file names. It than asks users to pay a US$300 ransom in bitcoins. The ransom note says the amount will double after three days. If payment’s not made after seven days, it says the encrypted files will be deleted. Despite this, Symantec hasn’t found any code in the ransomware which would cause files to be deleted. Symantec does not recommend paying the ransom. 

    Decrypting encrypted files isn’t possible yet. Symantec’s researchers are investigating the possibility. If you have backup copies of affected files, you may be able to restore them.

    Symantec’s identified two possible links loosely connecting WannaCry ransomware and the Lazarus Group. Shared code between Lazarus tools and the WannaCry ransomware’s a type of Transport Layer Security (SSL), a computing protocol to ensure data security sent by the Internet using encryption. Symantec sees this as justifying further investigation.

    Some files may be recovered without backups. Files saved on Desktop, My Documents, or removable drives are encrypted and their original copies wiped, so not recoverable. Files stored elsewhere are encrypted and their original copies deleted. They could be recovered using an undelete tool.

    Symantec and Norton customers are protected against WannaCry by a combination of technologies. Proactive protection was provided by:

    IPS network-based protectionSONAR behaviour detectionAdvanced Machine Learning (AML)Intelligent Threat Cloud (ITC).

    Customers should have these technologies enabled for full proactive protection. Symantec Endpoint Protection (SEP) customers are advised to migrate to SEP 14 to take full advantage of AML signatures.


  • After WannaCry, what’s next?

    As a shock to the cyber-security systems, WannaCry was huge. Barkly, a cyber-security firm’s set out in its blog what it zero-day attacks it expects next. It’s valuable information for Africa’s eHealth. Three possibilities are:

    One’s another attack using ETERNALBLUE, the same basis for WannaCray. Organisations struggling to update their systems will be vulnerable, with a possibility that the breach could be more damaging. An example’s Cerber. It’s recently bypassed antivirus solutions that rely on machine learning. The effect of an attack delivering a ransomware like Cerber is seen by Barkly as much worse than WannaCry.  

    Barky says a patch can help. If it's not feasible, restricting access to port 445 or disabling Server Message Blocking (SMB) are options. 

    Another possible attack’s spread through Remote Desktop Protocol (RDP), a Microsoft proprietary protocol developed. It’s accessible through open port 3389 open and exposing RDP to the Internet. Dharma, CrySiS, and SamSam ransomware have exploited RDP. It’s easy for cyber-criminals to find these vulnerabilities. Barkly says masscan, a port scanning tool, can scan the Internet within six minutes, enabling attackers to collect a large victim list

    Another one of the NSA exploits leaked by the Shadow Brokers actually targets RDP, specifically. Called ESTEEMAUDIT, it thankfully only targets a vulnerability affecting Microsoft Windows Server 2003 and Windows XP. But that's not to say an exploit targeting newer systems doesn't also exist and won't be released at some point (more on that possibility below). 

    Cyber-attacks may use another leaked US National Security Agency (NSA) solution, like ETERNALBLUE. Bleeping Computer identified 23. They’re listed in the Barkly blog.

    Many target SMB, so the first step’s to secure it by patching and reviewing port 445 access. The next step’s more challenging because there’s no information on the precise nature of their malicious use.

    An important underlying endeavour’s to learning from WannaCry. First priority’s a rigorous cyber-security review. Next, fix vulnerabilities. Repelling the next set of zero-day attacks can never have totally reliable results. Off-line backups can help to minimise some of the damage that may not be prevented.

  • A checklist can help combat ransomware

    As ransomware ratchets up as a cyber-security threat, extra and effective vigilance’s essential. WannaCry, reported on eHNA shows how it’s a bigger risk and priority. A ransomware checklist and kit as part of a seven file download from Sophos, a cyber-security firm provides timely advice. It has two main parts, essential technologies and best cyber-security practices. These are valuable for Africa’s eHealth. 

    There are two main types of ransomware attacks. One’s a plausible-looking email that’s booby-trapped email with a malicious attachment. The other’s from a compromised website. Both download ransomware when users click on links that work their way endpoints and servers. It seems that WannaCry stepped this up. It scans and hunts for vulnerabilities and includes a worm that extends across networks.

    If ransomware reaches endpoints and servers it’s essential it’s blocked and removed promptly, This may need tools. An example’s CryptoGuard Technology. Solutions must:

    Complements existing cyber-securityBlock processes trying unauthorised changes to dataWork against local and remote encryptionAutomatically undo changes to avoid data lossExploit prevention by stopping ransomware exploiting weaknesses in other software products.

    Host Intrusion Prevention System (HIPS) with behaviour and file analytics are important too.  Tech Support Alert has a description of HIPS as a program that alerts users to malware programs such as a virus trying to run on users’ computers or that an unauthorised users such as a hacker may have accessed them. It achieve this by examining files’ components and structures of files for malicious elements and seeking code trying to modify registries.

    Other cyber-security technologies include: 

    Web security scans checking web content for ransomware code Malicious Traffic Detection (MTD) looking for traffic to ransomware command and control servers, then blocking it when it’s foundApplication control that restricts applications allowed to runBlocking Wscript often used by ransomwareApplication whitelisting to establishes a default deny policy on servers so only trusted applications can run, so preventing ransomware gaining a footholdStopping email threats using defences blocks ransomware emailsTime-of-click protection stops users clicking on links to websites hosting ransomware, even if they’re safe when they entered inboxesCloud-sandboxing to find zero-day threats that exploit unknown vulnerabilities by rigorously testing files in safe environments before users run themWeb gateways block web-borne ransomware before they reach users’ endpoints, such as:

    o   URL filtering that blocks websites hosting ransomware and stops ransomware communicating with its command and control servers

    o   Web filtering enforcing strict controls on ransomware file types, stopping them downloading

     Sophos’s nine best cyber-security practices are:

    Backup regularly and keep recent backup copies off-line and off-site to minimise data lossEnable file extensions to help identify unusual file type, such as JavaScriptOpen JavaScript files in Notepad because it blocks them from running malicious scriptsDon’t enable macros in document attachments in emails because many infections rely on turning macros onAlways be cautious about unsolicited attachments, and check with sendersDon’t have more login power than needed because admin rights may expand a local infection across networksConsider installing the Microsoft Office viewers to see what documents look like without opening them in Word or ExcelPatch early and often so there are fewer holes for ransomware to exploitKeep up to date with new security features in business applications.

    These activities reveal the considerable range of activities needed for effective cyber-security. As threats become more sophisticated and effective, Africa’s eHealth needs to keep up with modern cyber-security.

  • Cyber-criminals like Ransomware

    Ransomware’s a favourite with many cyber-criminals. It’s cheap to produce and can provide big, illegal returns by encrypting users’ data. Decryption comes with a fee, but experts say users should never pay, but fix it by relying on up to date offline back-ups. It offers good returns because it mainly relies on unsuspecting users clicking on illicit links in emails and webpages so malicious ransomware’s downloaded. Acfee’s cyber-security overview eBook reports that  ransomware restricts access to computers, which is reinstated after paying a ransom often in Bitcoin to remove the restriction.. Cyber-criminals know this phishing approach that kidnaps information is  significantly more profitable than stealing  it. WannaCry made headlines  when cybercriminals launched a global cyber-attack. It’s a step up on lucrative conventional ransomware, being extremely predatory, scanning and hunting for networks’ vulnerabilities. It’s not clear if it used phishing, or was more sophisticated and sought vulnerabilities.


    An article in the NewYorkTimes says the cyber-attack affected more than 150 countries and inflicted 200,000 Windows computers.  Hackers mainly targeted hospitals, academic institutions and high profile global companies. Perpetrators used a digital code previously leaked as part of a document dump. A report by News 24 says it explains the virus’s rapid spread

    Healthcare news has an alarming estimate that  72% of malware attacks on healthcare used ransomware. Healthcare is particularly targeted by hackers as they know how crucial data is to daily hospital operations, and the gravely result it might have when leaked or placed in the wrong hands.   Verizon researched this. Its 2017 Data Breach Investigation Report    found  that 602 of 2,000 breaches stemmed from phishing emails. Symantec identified ransomware’s growth. Its report said  the number of ransomware detections increased by 36% during 2016, up from 340,000 in 2015 to 463,000 in 2016.

    Any organisation can fall victim to these attack, so they must impose strict measures to increase cyber-security  and ensure that all employees remain vigilant and alert.

  • An anti-ransomware manual offers a good start for Africa’s eHealth

    In 1977, Ron Rivest, Adi Shamir and Leonard Adleman (RSA), developed RSA 2048, an algorithm for an Internet encryption system. Now, 40 years later, it seems it’s still the cryptosystem that typical ransomware attacks rely on.

    As ransomware expands its reach, KnowBe4, a security awareness training and simulated phishing platform, has produced a manual to help organisations and people deal with it. Ransomware Hostage Rescue Manual covers a wide range of themes and includes two ransomware checklists, one to deal with an attack, one for prevention.

    Topics include:

    What’s Ransomware?Are systems infected?When they are, what’s next?Negotiate or pay the ransomsProtecting in the futureResources:

    o   Ransomware Attack Response Checklist (RARC)

    o   Ransomware Prevention Checklist (RPC)

    RARC actions to deal with an attack include steps: 

    1.     Disconnect everything

    2.     Determine the scope of the infection

    3.     Determine the ransomware strain, such as CryptoWall and Teslacrypt

    4.     Determine a response:

    a.     Restore file from backup

    b.     Try to decrypt

    c.     Do nothing and lose files

    d.     Negotiate or pay the ransom

    RPC measures include:

    Users are the first line of defenceSoftware, such as firewalls and antivirus systems are the second lineBackups are third Line of Defence.

    As Africa’s health systems rely more on eHealth and its networks, ransomware becomes an increasing probability. KnowBe4’s manual’s an effective way to both start, and review progress against ransomware. Reviewing defences for other types of cyber-attack is worth it too.

  • How can Africa adopt best practices against phishing and ransomware?

    With phishing still popular with cyber-criminals, and so easy to deploy, adopting best practices is essential. Human firewalls are an essential component. A white paper from Osterman Research, sponsored by KnowBe4, a cyber-security awareness, training and simulated phishing platform, sets out the frequencies of employees’ cyber-security awareness training. 

    There are two main findings. Better phishing and ransomware protection’s needed across the board. Secondly, additional cyber-security awareness training’s needed to help reduce infection rates of phishing and ransomware attacks. 

    How big is the problem? Osterman identified it as a percentage of organisations affected.

  • Barkly sets out three ransomware predictions

    As a criminal business, ransomware’s big. It’s set to be bigger. Jack Danahy, a Barkly co-founder, writing in Barkly’s blog says cyber-attackers will use three new methods in 2017.

    An extra threat of doxxing, public disclosure of private records, either a file at a time or as a catastrophic dump to increase the chances of victims paying the ransomRansomware infections will spread more quickly and easilyFileless ransomware will increase rapidly.

    A Barkly survey reports only 5% of US organisations say they paid ransoms. Better back-ups and easier data recovery have reduced ransom attack’s effectiveness. Cyber-criminals are shifting their attacks to businesses instead of consumers to demand more. It means they’re increasing the potential damage and disruption of not paying. Other countries are seen as softer targets too. It’s a warning for Africa’s eHealth and healthcare.

    Ransomware attacks will also increasingly bypasses scanners and signature-based anti-virus security. It raises the chances of infection for less sophisticated organisations. These’ll add to the more common technique of phishing emails with malicious attachments. Fileless attacks aren’t easy to identify using conventional endpoint security tools.

    The lessons for Africa’s eHealth are stark. Two main themes are:

    Stepping up basic cyber-security measures rapidly, and not just to deal with ransomwareAdopt more sophisticated cyber-security to deal with emerging new threats, especially ransomware threats.

    Health systems will need investment in new cyber-security skills and solutions. They’ll need new eHealth strategies too.