The prevalence — and cost — of increasingly sophisticated ransomware attacks continue to grow unabated. The threat of ransomware is nothing new, but the nightmare scenarios targeting businesses in every sector are becoming more targeted and crippling by the day.

Attackers using ‘big game hunting’ tactics, for example, are setting their sights on specific larger organizations where they anticipate that they can extract the largest financial pay-out. Unlike auto-spreading ransomware such as WannaCry and NotPetya, many new strains open the door for criminals to steal data and manipulate systems, as attackers exhibit deeper knowledge and understanding of their target’s environment.

Amid the disruptive impact of the global pandemic over the last year, cyber criminals are turning their attention to the life sciences industry. The industry’s crucial role in launching COVID-19 vaccination programs — combined with the sector’s massive revenues and endless volumes of sensitive data — makes it an ideal target for organized crime groups wielding today’s destructive ransomware tactics.

Notable ransomware attacks on the industry to date include Ryuk, Conti and Sodinokibi — and cyber criminals are expected to keep healthcare and pharmaceutical businesses firmly in their sights in 2021 and beyond. The US-based Cybersecurity and Infrastructure Security Agency (CISA) reinforced this message with its October 2020 advisory warning of the 'increased and imminent threat' of ransomware in the healthcare and public-health sector.1

The evolving threats of ransomware

Today’s ransomware attacks are transitioning away from traditional ‘smash-and-grab’ tactics, as more-sophisticated and intrusive techniques increase the impact and profitability of attacks. This often involves attackers spending weeks performing significant reconnaissance of targets to gain a deep understanding of their systems and data, and how best to leverage a ransomware attack for the largest financial pay-out.

So how is ransomware changing?

Double extortion: As they move away from ‘smash-and-grab’ tactics, crafty cyber criminals are applying double extortion to their attacks — combining hefty ransom demands with the threat of making sensitive data publicly available. By spending time hiding in a target’s network, attackers can identify where best to encrypt systems during their attack — as well as identifying the most-sensitive data and assets to use as leverage for future ransom payments. If a ransom isn’t paid, data may be leaked. In an age where trust is integral to any organization’s reputation and success, such techniques are increasingly effective in extorting large payments from unsuspecting victims.

Sodinokibi, Conti and Egregor are examples of ransomware groups cashing in on these potentially paralyzing techniques. The large volumes of sensitive and confidential information held by today’s pharmaceuticals, including valuable intellectual property related to the COVID-19 vaccine, makes them particularly vulnerable to such attacks. Exposing such data could undermine vaccination programs and health safety worldwide and threaten organization’s reputation and entire business value.

What can pharmaceuticals do in response? Having an effective incident-response capability that that can provide a rapid response is critical. It is also essential to prioritize the detection of lateral movement across the network, by leveraging effective log management and closely monitoring network traffic. Having strong containment and isolation procedures to minimize the impact of ransomware events is also crucial.

Online backups: Like double-extortion tactics, this new wave of ransomware also has attackers performing reconnaissance, in this case to understand and disable their target’s backup landscape. Data backups are encrypted or deleted to give criminals additional leverage over their target — the Sodinokibi ransomware is an example of this devastating tactic on Windows shadow copies.

Attackers can be particularly cunning by embedding Sodinokibi ransomware into backup schedules — when victims attempt to restore systems with backed-up data, the ransomware is detonated once again. Victims soon discover that their backups are not recoverable, rendering data recovery not possible at all in many circumstances. Such attacks on pharmaceutical companies have the potential to inflict massive disruption on vaccination programs, ultimately forcing organizations into paying a ransom in order to avoid catastrophic results.

What can pharmaceuticals do in response? Maintain strong offline, encrypted backups of data at all times to foil attackers. Also, segregate backups from the rest of the network and regularly stress test these to ensure their integrity. Implementing privileged access-management controls is also a crucial defense tactic.

Should you pay the ransom?

Pharmaceutical regulators, including the US Food & Drug Administration (FDA) and the UK’s Medicines & Healthcare Regulatory Agency (MHRA), have yet to detail their stance on paying ransoms. However, many countries and industries are becoming less tolerant about paying attackers and in some cases, it is now illegal to meet their ransom demands.

For example, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has issued an advisory to highlight the possible sanction risks associated with paying ransom demands. This is on the premise that paying attackers encourages future attacks and demands, does not always lead to recovery of encrypted files, and may violate OFAC regulations.2

Ultimately, in jurisdictions where it is still legal, paying a ransom is a business decision which should be made at the Board level with legal advice. The pros and cons of capitulating to attacks should be weighed up very carefully and decision making should include independent, non-executive Board members. Prior to these emergency situations, organizations should have exercised how they deal with a major ransomware incident and have debated and agreed their stance on ransom payments, so they can quickly make decisions in a fast moving and stressful situation.

In the life sciences industry in particular, meeting ransom demands may seem like the right choice, particularly when the sector is playing a fundamental role both in saving lives during the global pandemic and leading the way in enabling a worldwide economic recovery. The pandemic has proven that health and economic prosperity go hand in hand, meaning that organizations experiencing ransomware attacks may feel the pressure from multiple angles and stakeholders to ensure that production is not disrupted.

The sector, perhaps more than others, is therefore presented with an ethical dilemma: protecting health and economic prosperity versus paying a ransom that could arguably encourage costly future attacks.

Security leaders need to adapt to bold new threats

Strong, practical guidance on how to prepare for and respond to ransomware attacks has already been published by the likes of the UK’s National Cyber Security Centre (NCSC)3, the US’s CISA4, and other security organizations around the world. Security leaders in the life sciences industry should familiarize themselves with this guidance and embed new controls into their plans where they have gaps.

It’s also critical for security leaders to focus on the entirety of the defense and response lifecycle of a ransomware attack, from strategy and planning, monitoring and incident tracking through to disaster recovery and remediation.

A deeper understanding of how ransomware attacks are evolving is critical too. Cyber criminals are incredibly resourceful and entrepreneurial and will continue to look for new methods that increase their prospects for success and profitability.

The life sciences industry is critical to the recovery from COVID-19 and we can expect cyber criminals to continue their efforts to exploit today’s unprecedented global environment. There is no time to waste in developing comprehensive new approaches to combat the risk of costly attacks and safeguard the integrity and sustainability of health services.

Footnotes:

1 Ransomware Activity Targeting the Healthcare and Public Health Sector, CISA Alert (AA20-302A), November 2, 2020.
2 Ransomware Advisory, U.S. Department of The Treasury, October 1, 2020.
3 Mitigating malware and ransomware attacks, National Cyber Security Centre, March 30, 2021.
4 Ransomware Guidance and Resources, Cybersecurity & Infrastructure Security Agency, 2021.

Connect with us

 

Want to do business with KPMG?

 

loading image Request for proposal

Stay up to date with what matters to you

Gain access to personalized content based on your interests by signing up today

Sign up today

Related Content