The fileless malware, which is similar to Locky, utilizes Windows PowerShell and mimics legitimate activities on the computer.
If the spate of recent ransomware attacks on hospitals across the U.S. is any indication of the future of cybercrime, it’s clear that hackers are far from finished in pushing boundaries and wreaking havoc on healthcare. The new ransomware, PowerWare, is the latest example.
“Ransomware has really found its sweet spot in the critical infrastructure of healthcare,” says Ben Johnson, chief security strategist, at Carbon Black. Since hospitals can’t afford to have cyber attackers compromising their infrastructure and hindering daily operations, he says, executives are much more likely to pay up.
Similar to the Locky virus in that it’s delivered via email through a Microsoft Word document that resembles an invoice and locks down the system until the ransom is paid, PowerWare takes it a step further and mimics legitimate files and activities on the computer – without writing new files on the system.
PowerWare utilizes PowerShell, the task automation and configuration management framework with its own scripting language included in Windows, most commonly used by administrators.
When the user opens the word document from the email, they’re directed to enable macros. In doing so, the command center is opened and the malicious script is added. The malware blends into the background.
Before long, this ransomware can be expected to “become way more advanced and more targeted with higher ransoms,” Johnson said. “Now they encrypt files. But if they start seeing the actual data, they can use it as blackmail.
“We have to start getting ahead of it,” he added. “Healthcare has woken up to the fact they have to do something about it, but there are two problems: the need for cybersecurity employees and these upgrades take time.”
Systems need to be refreshed and updated, while taking into account human usage, Johnson said: “We’re seeing board members understand they need to do something. They now need to find people to do it and find the most effective way.”
PowerWare has already set its sights on healthcare: An unnamed healthcare client of Carbon Black was the organization that first brought the suspicious email to the company’s attention.
“A lot of times, ransomware works because organizations have the same file share and depository for all documents across the organization,” Johnson said. “All it takes is one employee to be fooled by one of these viruses to lock all of these files, which exacerbates the problem.”
Healthcare organizations need to backup all data and keep it separate from the mainframe, Johnson said, noting that it’s a method that proved successful for Methodist Hospital in Henderson, Kentucky, earlier this month.