What Healthcare Organizations Should Know About Petya-like Cyberattack

The global cyberattack potentially modeled after Petya again underlines the importance of cyber vigilance in the healthcare space.

On June 27, just more than a month after WannaCry became the first program to use purportedly leaked NSA hacking tools to launch ransomware attacks across the globe, the malware attack known broadly as Petya followed its lead.

Many organizations hit were vulnerable because of the same exploit that allowed WannaCry, which hit a significant portion of the U.K.’s healthcare sector, to propagate.

The attack infected nearly 13,000 machines and spread to at least 64 countries, beginning in the Ukraine the night before its independence holiday.

The fallout from the potential Petya variant was not as concentrated in the healthcare space, but it did impact several healthcare organizations and their networks, including West Virginia’s Princeton Community Hospital and Pennsylvania’s Heritage Valley Health Systems.

Princeton Community Hospital said it would have to scrap and replace its entire computer network after officials were unable to restore services and there was no way to pay a ransom to restore the system. The attack froze the hospital’s electronic medical record system and left doctors unable to review patients’ medical history or transmit lab and pharmacy orders.

Heritage Valley Health Systems said the cyberattack impacted its entire system, including two hospitals and satellite and community locations across western Pennsylvania. Officials said they shut down the network’s IT systems and on June 30, the hospital was still working to restore satellite-based lab and diagnostic imaging services. 


What is Petya?

Like WannaCry, Petya is a type of malicious software that infects a computer and restricts user access to the machine.
 
The attack vectors of the potential Petya variant include the (WannaCry) EternalBlue exploit that reaches computers through vulnerabilities in Microsoft’s Server Message Block (SMB), known as MS17-010 SMB. It also has other attack vectors: an exploit known as EternalRomance, which targets Windows XP to 2009 systems, as well as an attack on the update to M.E.Doc, a third-party Ukrainian software product. Unlike typical ransomware, in addition to locking individual files, Petya also cripples the entire device by overwriting and encrypting the machine’s master boot record (MBR), according to Symantec.
 
Initial reports showed that, as with WannaCry, organizations’ failure to apply the Microsoft patch for the MS17-010 vulnerability, dated March 14, 2017, enabled Petya to infiltrate victims’ systems in many cases. But Petya has at least two other attack vectors outside of the EternalBlue exploit—underscoring that the Microsoft patch is not a cure-all.
 

How can healthcare organizations defend themselves?

Organizations that have not yet applied the MS17-010 patch should still do so immediately. Those using unsupported Windows operating systems including Windows XP, Windows 8 and Windows Server 2003 should follow customer guidance from Microsoft. Until organizations can apply the patch, Microsoft issued the following workarounds to reduce the attack surface:
  • Disable SMB version 1 using steps documented here.
  • Consider adding a rule to your router or firewall to block incoming SMB traffic on port 445.
Victims of the ransomware who have not yet paid the attackers should contact their local FBI Office Cyber Task Force or the FBI’s 24/7 National Cyber Watch Center (CyWatch) at (855) 292-3937 before doing so.

Additionally, the United States Computer Emergency Readiness Team (US-CERT) recommends the following risk mitigation measures:
  • Put in place a data backup and recovery plan for all critical information, and conduct regular test backups to limit the impact of a data or system loss and streamline the recovery process. Note that network-connected backups can also be affected by ransomware; critical backups should be isolated from the network for optimum protection.
  • Enlist application whitelisting to help mitigate malicious software and unapproved programs from running. This allows only programs specified to run and blocks all others, including malicious software.
  • Keep all operating systems and software up-to-date with the latest security patches, greatly reducing the number of exploitable entry points for attackers into your system.
  • Keep anti-virus software current and scan all software downloaded from the internet before it downloads.
  • Limit users’ permissions to install and run unwanted software applications, applying the principle of least privilege to all systems and services.
  • Disable macros from email attachments. When users open attachments and enable macros, embedded code then executes the malware on the machine.
  • Avoid clicking on unsolicited links in emails (see more on that here).
What happens when mitigation measures fail? Read more here: https://www.bdo.com/insights/consulting/bdo-knows-cybersecurity-(1).

Additional cybersecurity resources: For more updates on this topic and others, please subscribe to the BDO Knows Healthcare blog.