"It's so easy to get it," says Curtis Woods with Integrated Solutions in Birmingham about ransomware. One specialist practice in Birmingham has been hit three times. Another local practice lost access to 400,000 files for more than a day from an attack.
To get hit with ransomware, someone within the practice must usually click on something, such as an email attachment or a link on a website. That click downloads an app onto that computer. "That app starts to look for any files shared on the network and starts encrypting that data," Woods says.
The hackers claim they will unlock that data once a ransom is paid. At the specialist clinic that was attacked, the initial ransom was $5,000. The other two times, the perpetrators demanded $1,000. "The links to pay the ransom -- which we never recommend -- were all invalid," Woods says.
These days, the cybercriminals sites can be found and shut down by law enforcement faster than they can collect, leaving the victimized practice with locked files. If they have no back-ups, they are in dire straits.
The current fix is to turn off that particular computer when the ransomware demand pops up on the screen. "Then the damage is minimal," Woods says. "We know of clinics that have been hit very lightly because they've had the state of mind to turn off the computer."
One ransomware variant waited until midnight to kick on. The computers were left on at night, and no one was around to shut it down. "That business did pay, but the data was not released. That's why we recommend you don't pay it," Woods says. "You're obviously just funding the culprits."
Fortune 500 companies and some hospitals have paid ransom. "Because it's so expensive for them to recover the data," Woods says. In those cases, the hackers usually release the data knowing it will motivate other victims to pay up quickly. But in May, when the Kansas Heart Hospital paid the ransom, the perpetrators released only a small portion of the encrypted files and then demanded more money. The hospital didn't pay.
Though ransomware is quickly evolving, right now it does not spread to other computers. So once the infected computer is shut down, IT support need only cleanse that one. "We have a policy that all the software on an infected computer has to be reloaded from scratch. That's the only way to know it's been completed removed," Woods says.
But Woods isn't recommending everyone shut off their computers at night. "Because it prevents security patches and other things from updating in the middle of the night," he says. "We've only seen a practice hit at night once. It will be a different story if we see it more."
Anti-ransom software does exist. Some can run as high as $550 a month. "Everyone is jumping on that software bandwagon," Woods says. Some are highly effective, but others are not keeping up with the rapid evolvement of ransomware. "Trust whoever makes your antivirus software, if they make a ransomware package," he says. "But look to your IT company for guidance. Every respectable IT company tests these in order to protect their customers."
Restoration from a ransomware attack relies on good back-ups. Practices then lose only a day's worth of data at most. "Unless you're not checking the validity of your back-ups," Woods says.
Prevention relies on employee training and access. "That's the first line of defense," Woods says. "They have to pay attention to what they're reading and what they're opening."
In March, cybercriminals evolved past the needed click and, through an ad network, triggered reputable websites, such as the New York Times and the NFL, to attempt to download ransomware simply by landing on a certain page. For protection, some healthcare businesses have pared down their network's access strictly to websites needed for work.
For all email attachments, viewing them first using the previewer in an email client, such as Outlook or Apple's Mail, prevents a download. "Then you can't get the virus," Woods says. Or view them on a phone or iPad, not connected to the clinic's network.
"We tell our clients that if they're unsure about an email, forward it to us and we'll open it up in a sandbox -- a protected computer," Woods says. They receive several emails to test every day.
Woods says IT companies throughout Alabama report anywhere from five to 25 percent of practices are being hit by ransomware, since it started targeting healthcare entities early last winter.
"Everyone is vulnerable, though," Woods says, even those who host their EMR (electronic medical records) in the cloud. The ransomware can still lock up all the data they store in-house, such as billing spreadsheets and Word documents for referrals and letters. "So you're at much less risk of losing patient data, but you'll still be affected as a business," he says.
The consensus is that ransomware is rapidly getting more creative and more dangerous. "It will never go away," Woods says. "You find it, fix it, kill it, and they come out with another variant. It's been that way since the beginning of the internet."