Five things SysAdmins can learn from Chicago Med's ransomware attack
The Chicago Med ransomware story has probably run its course. We won't see how the system was compromised, what data was lost, what was done to shore up defenses. There won't be a forensic investigator looking for lingering threats or evidence of another crime not yet discovered. Aside from a brief mention of the server being "corrupted," we don't even really know what happened to the network.
It's easy to see that the episode wasn't really about ransomware, and it's just as easy to think that there's nothing for IT to learn from this show. Still, the episode did offer up some practical lessons for those of us who work in network security and data protection.
The moment of discovery
When a hurricane or tornado hits, you usually have some time to prepare. You make sure your backups are good, you might move critical hardware to a safer location, etc. Unless you're digging through system logs, there's nothing special about the time leading up to a ransomware attack. Your state of preparation for a ransomware attack right at this moment, is the state you will be in when the ransomware hits.
Are you aware of your state of readiness during critical tasks? If ransomware hit while you were in the middle of surgery (or maybe a server migration), would you know what to do at that moment?
Give yourself some extra protection during tasks such as a data move or server upgrade. Prepare yourself and your staff for the sudden loss of technology during the workday.
When the ransomware was discovered, the administrator gathered everyone around the desk and announced that they would be operating under "downtime procedures." This meant cancelling elective surgeries, using paper charts, tracking medication on a dry erase board, and turning in their tablets for evaluation. There was confusion, chatter, and a pep talk, and then off they went about their duties.
Do you know how you will communicate a ransomware attack to your staff? How do you inform the staff to engage an emergency response procedure when the emergency isn't something like a fire that sets off a distinct alarm? Do you inform the entire staff, or just the staff directly affected by the ransomware? Will your staff know where to get this information?
Develop a ransomware communication plan for non-technical employees. Include alternate collaboration space for staff who have to maintain updated information
The hospital had planned for downtime, perhaps in preparation for a natural disaster or widescale loss of power. Did the right information about that planning ever reach the staff? It's hard to say. In real life, you don't want employees wondering how to "do stuff" while the company is trying to get the business back online.
A ransomware attack takes place in the space between full power outage - no work possible, and application down - alternative work possible. Make sure your employees know what their options are in this space.
The tablets used by staff were collected so they could be off the network and checked during the time of the attack. This set up a great example of how these devices can be personal crutches as well business tools. People who are uncomfortable in social situations may resist giving up their technology if it means they have to interact with others face to face.
In a ransomware situation, you may be faced with stress from factors you had not considered. Have a plan for which mobile devices will be collected and how they will be gathered. How will they be checked? Are personal devices included in this plan? How will you explain this to the staff?
Develop a plan on how to collect and test devices. Communicate the requirements of this plan to the staff who will be affected.
"Pretty simple math"
The multiple suggestions to pay the ransom were always met with something like "we don't negotiate with extortionists." This put the staff in the mental position of weighing hospital philosophy against the importance of their own work.
Eventually the systems came back online and we find out that one of the surgeons paid the ransom. "30 bitcoin vs the continued integrity of our services. Pretty simple math, don't you think?"
Obviously not. You can still lose data, you might not get your decryption key, you're encouraging the criminal, AND you put yourself at risk for another attack and a higher ransom in the future. A good IT staff will be working to protect you from ransomware and restore your data and systems as soon as possible.
You don't want to be mired down in defending policy while trying to get the system back online. Make sure the staff understands that paying the ransom puts the company at further risk, and do not allow them access to pay the ransom on their own.
The episode was a look at the human factor of a ransomware attack, and that's the part we all sometimes miss. To the extent possible in your industry and company, prepare your staff for a possible attack. Make sure they know how to respond if you have to go into your "downtime procedures." This can help you keep business losses to a minimum while you recover.
You can watch the full episode here on the NBC website.
Visit the Barracuda ransomware solutions site at www.barracuda.com/ransomware
Click here for our on-demand webinar on how to keep healthcare networks safe from ransomware.