When describing the month of March there is an old saying: In like a lion, out like a lamb. I wonder if the same can be said for the state of ransomware in healthcare for 2023. I recently attended the American Hospital Association (AHA) Rural Leadership meeting in San Antonio and continually heard that a top concern is ransomware. How are hospitals being targeted? Who is targeting them? How should they plan and prepare for a breach and how do they ensure resiliency during the downtime?
Executive Summary Since our initial report on the ransomware group known as BianLian, we have continued to keep an eye on their activities. Unfortunately, and sadly not surprisingly, the group continues to operate and add to their ever-growing list of victims. Having continued to research BianLian for the past six months or so, we felt the time was right to share an update and some of our findings with the larger community.
Don’t Pay the Ransom? When you take a step back and look at the ransomware problem, the obvious solution is for victims to refuse to pay the ransoms. It will demonetize the crime; the criminal enterprises that run these operations will no longer find the ransomware business to be profitable and they will move on to other things. However, this is much easier said than done. The actual decision of whether or not to pay the ransom, while a criminal gang is holding your network (and your data) hostage, is not an easy or simple decision to make.
When it comes to cybersecurity, it’s important to understand the tools, techniques, and thought processes of threat actors. Once adversaries have initial access to a network, lateral movement allows them to extend access and maintain persistence by compromising additional hosts in the network of their target organization. Threat actors can gather information about the company’s user activity and credentials, location of important data, and leverage methods for escalating privilege to successfully complete their attack, theft or espionage activities.
The case for implementing a Zero Trust strategy has never been greater. Cyberattacks are increasing in scale and severity with an attendant growth in sophistication. Most organizations agree: The post-pandemic world requires a paradigm shift in how we approach cybersecurity. In fact, in 2022, 72% percent of organizations were either in the process of adopting Zero Trust or had already adopted it.1 What is Zero Trust? At a high level, Zero Trust requires all users (inside or outside the network) to be continuously authenticated and authorized to gain network access.
Everyone knows cyber crime is increasing, boosting cybersecurity initiatives to the top of the corporate priority list. While 38 percent of Fortune 500 companies did not have a chief information security officer just three years ago, every single one does today. In addition, Gartner estimates that $188.3 billion dollars will be spent on information security and risk management products and services in 2023. A myriad of cybersecurity-related solutions have flooded the market in recent years in response.
Earlier this year, [redacted] encountered a relatively new ransomware threat actor that called themselves BianLian. We observed the actor deploying custom malware that was written in the Go programming language, which posed some initial, but not insurmountable, reverse-engineering challenges. BianLian used subtle techniques to exploit, enumerate, and move laterally in victim networks to remain undetected and aggressively worked to counter Endpoint Detection & Response (EDR) protections during the encryption phase of their operations.