We had some questions concerning the invoice sent on May 5, 2020, for our x-ray equipment. Specifically, we discussed with our salesman that we would receive a discount for the item on line 24 of the invoice. Please view the invoice here.
XYZ Imaging Center
Looks like a pretty safe email, right? Aside from the name of the person sending it and the name of the imaging center, which I changed to anonymize the email, this looks pretty legitimate. Specifically, it addresses me individually, it is from a known customer, it references x-ray equipment, and the email headers (not shown) were from a real customer that we do business with regularly. So when this email landed in my inbox, I, at first, thought the sender had sent it to one of the other mailboxes that I monitor for the company. My first thought was to forward the email to the sales representative and CC our accounting department. But after seeing that the email was sent directly to me, the marketing manager, the email made me very suspicious.
Let me back up a little and explain that CMS Imaging, like every company, takes our email security very seriously. We use a few different cybersecurity products to assist in our protection, and typically, the emails that land in our inboxes are more often than not legitimate. But the best cybersecurity tools can be fooled (big thanks to our Chief Technology Officer for all the reminders). I know that the best defense is to be cognizant of the attachments I open and the links I follow. I chose to contact the people who do cybersecurity for us and let them investigate the email before I opened it.
My suspicions were confirmed very shortly after I contacted our cybersecurity people. While it may seem pretty obvious in hindsight, this email was an attempt to steal my credentials and transmit ransomware and give the bad actors the ability to send similar emails to my contacts. The truly devious part about this email was that the bad actors (I really would like to call them something else, but this is a business blog post) had designed this email to fool most email cybersecurity software. Because they had access to our client's email, they also had access to their cloud drive. The email link would have directed me to our client's legitimate cloud drive, which was safe. But to view the invoice, I would have needed to enter my credentials to access the details of the invoice and see line 24. The URL link to enter my credentials was "micosroft.ru/qwerty/98768593" (the micosroft.ru is real, but the rest is fictitious.) The bad actors were hoping that a glance, I would have mistaken the primary domain of the URL for "microsoft.com." Because the link on the original email sent me to a legitimate URL and the sender had previously sent legitimate emails to our domain, none of our email cybersecurity products would have picked up that this was an attempted spear-phishing attempt.
So what would have happened if I had clicked the links and entered my credentials?
Probably nothing, at least right away.
I would, more than likely, have received a "Page Not Found" error. And after several attempts, I probably would have chalked this up to a human error and given up on viewing line 24 and went about my day. But unbeknownst to me, this bad actor would have signed into my email account and begun reading my emails to learn more about my contacts. They would then start crafting emails targeting my contacts and including real details about previous communications. Simultaneously, their partners (typically these are no longer kids in their parent's garages, but organized syndicates) would than begin creating and inserting a fake link in a document that would direct the recipient to "micosroft.ru/qwerty/98768593." They would also create rules in my email inbox, marking any incoming emails with the subject line of the email they are about to send as "Read" and moving the email to my "Trash." Within a few business days, they would send the emails, and they would activate their ransomware.
If you are unfamiliar with ransomware, it is a short bit of code that encrypts a server's contents. They would, in essence, place a password over the contents of a server that would delete all of the emails and documents stored on that server after a certain amount of incorrect attempts. For the bad actors to enter the password and remove the encryption, they would charge a ransom of up to $1M. According to Emsisoft * in 2019, there were 113 federal, state and municipal agencies, 764 healthcare providers, and 89 schools and universities in the United States.
But paying the ransom does not always guarantee that the bad actors will enter their password. "The FBI does not advocate paying a ransom, in part because it does not guarantee an organization will regain access to its data. In some cases, victims who paid a ransom were never provided with decryption keys. In addition, due to flaws in the encryption algorithms of certain malware variants, victims may not be able to recover some or all of their data even with a valid decryption key." **
So what should a healthcare facility do if they are the victim of ransomware?
The Centers for Medicare and Medicaid Services requires that any healthcare facility that accepts Medicare and or Medicaid adhere to their Emergency Preparedness Rule. In short, the medical facility must have a plan to deal with all emergencies (fire, flood, hurricane, cybersecurity breaches, acts of violence ...) and train and test its employees on emergency procedures. This plan will include each employee's responsibilities in the case of varying emergencies. With ransomware, the HIPAA Privacy Rule is in effect because compromised information in a ransomware attack may consist of Protected Healthcare Information (PHI).
Would you know what to do if you received this email? If not, now is an excellent time to start asking questions.
- * Emisoft.com. (2019). The State of Ransomware in the US: Report and Statistics 2019 [online] Available at: https://blog.emsisoft.com/en/34822/the-state-of-ransomware-in-the-us-report-and-statistics-2019/.
- ** Federal Bureau of Investigations. HIGH-IMPACT RANSOMWARE ATTACKS THREATEN U.S. BUSINESSES AND ORGANIZATIONS. Available at: https://www.ic3.gov/media/2019/191002.aspx.