A Differentiated Approach to Ransomware Detection

Ransomware tops the list of security concerns for healthcare delivery organizations. Here's how one university hospital system in the U.S. tapped into ExtraHop to target this malware.

For healthcare delivery organizations (HDOs), ransomware tops the list of security concerns. From the Hollywood Presbyterian Hospital ransomware incident, to the WannaCry attack that effectively took down the National Health Service (NHS) in the UK, HDOs have been hit hard by this threat vector. Not surprisingly, detecting, investigating, and shutting down ransomware before it can comprise critical systems and patient data has become a top priority for healthcare CIOs and CISOs.

In order to proactively address the ransomware problem, one large university hospital system in the US started using network traffic analysis (NTA) from ExtraHop to detect attack patterns and anomalies occurring across their environment. They also applied the ExtraHop ransomware bundle to specifically target this type of malware.

The ExtraHop Ransomware bundle automatically detects ransomware attacks in real-time using multiple techniques based on analyzing traffic from the SMB/CIFS network protocol (a file sharing protocol, traditionally for Microsoft Windows systems). While the bundle offers comprehensive out of the box detection capabilities, it is also configurable, enabling users to easily modify the bundle for their specific requirements.

A senior network security analyst at the university hospital was recently working on some updates to the ransomware bundle to catch interesting events specific to their environment, including potentially destructive queries against personal health information (PHI) databases -- a common target of attacks. The analyst made the following simple updates:

  • Created new metrics to store a new key data format
  • Built a trigger to populate those metrics based on queries containing 'INSERT, UPDATE, DROP, or DELETE'
  • Created a new dashboard to show that key data

With the updates in place, the ExtraHop dashboard immediately started showing a spike in modifications made to the hospital's network attached storage (NAS). The modifying agent was a worm dropping files with extension antiusb.exe and also created .lnk file. With this visibility, the security team at the hospital was able to quickly quarantine affected machines before the ransomware could spread.

A differentiated approach to ransomware detection

Unlike other NTA products that rely on behavioral analysis of L3-L4, ExtraHop decodes the entire payload, including NAS. While behavioral analysis can identify the modification of file if it wasn't a preexisting condition, full stack analytics from ExtraHop goes an extra step, confirming the file extension to eliminate false-positives. This reduces the signal-to-noise ratio, helping curtail alert fatigue and keeping security teams focused on the most serious threats and the most critical assets.

The extensibility of the ExtraHop platform also enables customers to resolve specific issues in their environment in real-time. With other offerings, security teams are dependent on the vendor to build new detection capability into their solution. This could take weeks, months, or never happen at all, which is not particularly helpful when the threat is happening right now. This flexibility is absolutely critical in the every evolving security space.

Subscribe to our Newsletter

Get the latest from ExtraHop delivered straight to your inbox.