Home Health & Hospice Week

Here’s why an ounce of prevention is worth a pound of cure.

Unless you have thousands or even millions of dollars to spare, you’d better ensure your protection against a threatening style of cyberattack is at full strength.

The Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency (CISA) have released a joint alert about Zeppelin ransomware. Malicious actors have used the ransomware for the past three years to target businesses and infrastructure organizations, “especially organizations in the healthcare and medical industries,” the alert says. Initial ransom payment requests ranged from several thousand dollars to over a million dollars, and the actors have been known to request ransom payments in Bitcoin.

With tactics including phishing attempts, Zeppelin threat actors are able to gain access to targeted networks. However, for about one to two weeks before unleashing the attack, they survey the targeted victim network “to identify data enclaves, including cloud storage and network backups,” the alert explains.

The FBI and CISA have also issued recommended mitigations to help reduce the risk of a Zeppelin ransomware infection. Some of the recommendations include:

• Creating and implementing a recovery plan;
• Requiring password logins meet National Institute for Standards and Technology (NIST) standards;
• Requiring multifactor authentication (MFA) for accounts, virtual private networks (VPNs), email, and other connections to critical systems; and
• Segmenting networks to help stem the spread of the ransomware.

The last recommendation is critical in your network’s protection against this specific strain of ransomware. The FBI has seen situations where threat actors “executed their malware multiple times within a victim’s network, resulting in the creation of different IDs or file extensions, for each instance of an attack,” the joint alert says. As a result, the victim would need multiple decryption keys.

That fact is “particularly alarming,” observes attorney Linn Freedman with law firm Robinson & Cole in Providence, Rhode Island, in online analysis of the alert.

And that’s not all. Prior to encrypting the files, the criminals “exfiltrate sensitive company data files to sell or publish in the event the victim refuses to pay the ransom,” the alert says.

In other words: “Along with encrypting files, this gang is engaging in the ‘double layered’ data extortion method,” explains John Riggi, American Hospital Association national advisor for cybersecurity and risk, in a post on the AHA’s website. “It appears this gang is stealing and threatening to publicly release sensitive information such as patient information, payroll, human resources and non-disclosure-protected information. Thus, even if a victim organization can independently restore encrypted files from backup, they face the dilemma of potential public release of stolen information in the possession of the criminals,” Riggi continues.

By the way: “The AHA, along with the federal gov­ernment, strongly discourages the payment of ransom,” Riggi emphasizes. “This alert along with the comprehensive #stopransomware site provide extensive guidance on how to protect your systems from ransomware and avoid the ethical and legal dilemma of ‘pay, not pay.’”

Note: The alert is at www.cisa.gov/uscert/ncas/alerts/ aa22-223a.