Microsoft Empowers Healthcare Industry To Combat Deadly Ransomware During COVID-19 Crisis

Ransomware is a significant problem for individuals and organizations today. However, it can be a particularly big problem for healthcare organizations and has the potential to cost lives during the COVID-19 pandemic raging around the world. Microsoft says that during this time of crisis as organizations move towards a remote workforce, ransomware operators have found a new target in the form of network devices like gateways and VPN appliances.

Microsoft says that it is putting a particular emphasis on the healthcare sector by protecting critical services, especially hospitals today. Microsoft notes that right now, REvil, which is also known as Sodinokibi, is one of the ransomware campaigns that is actively trying to exploit Gateway and VPN vulnerabilities to gain access to target organizations. Once access is obtained, the attackers were able to steal credentials and elevate privileges to move laterally across the network to ensure persistence before they install their ransomware or malware payloads.

These so-called "human-operated" ransomware attacks are "a cut above run-of-the-mill commodity ransomware campaigns," says Microsoft. The software giant says that it is leveraging its vast network of threat intelligence sources and has identified several dozen hospitals with vulnerable Gateway or VPN appliances in their infrastructure. Microsoft says that to help the hospitals, many of which were already besieged with patients under the current coronavirus/COVID-19 crisis, it sent out a targeted notification with important details about vulnerabilities in their systems and how attackers could take advantage of them.

The targeted notification also gave the healthcare organizations recommendations to apply security updates that could protect them from exploits using those vulnerabilities. Microsoft points out that its threat intelligence teams have observed multiple nation-state and cybercrime perpetrators targeting unpatched VPN systems for many months. Specifically, the attackers behind the REvil ransomware are actively scanning the Internet for vulnerable systems.

Microsoft has been alerted to those scans by its Threat Protection services and also notes that attackers have been observed using the update feature of VPN clients to deploy the malware payloads. Microsoft says that it is strongly recommending all enterprises review VPN infrastructure for updates. Ransomware attacks in healthcare can have very real outcomes on patients, with researchers linking a rise in fatal heart attacks to ransomware attacks last year. Microsoft made recommendations to mitigate the ransomware threat:

• Apply all available security updates for VPN and firewall configurations.
• Monitor and pay special attention to your remote access infrastructure. Any detections from security products or anomalies found in event logs should be investigated immediately. In the event of a compromise, ensure that any account used on these devices has a password reset, as the credentials could have been exfiltrated.
• Turn on attack surface reduction rules, including rules that block credential theft and ransomware activity. To address malicious activity initiated through weaponized Office documents, use rules that block advanced macro activity, executable content, process creation, and process injection initiated by Office applications. To assess the impact of these rules, deploy them in audit mode.
• Turn on AMSI for Office VBA if you have Office 365.