The U.S. healthcare industry, as well as other businesses and individuals globally, are susceptible to the threat of ransonware and variants of the virus, according to an alert from the United States Computer Emergency Readiness Team within the Department of Homeland Security and the Canadian Cyber Incident Response Centre.

In the wake of several ransomware incidents in U.S. hospitals, the alert outlines important steps to help keep organizations from becoming victim to a ransomware attack and guidelines for responding in the event of ransom demands.

The alert states that organizations should realize there is not a guarantee that paying a ransom will ensure that hackers release the information. “It only guarantees that the malicious actors receive the victim’s money and, in some cases, their banking information.”

The federal alert warns that ransomware is being spread via phishing tactics, as well as through “drive-by downloading,” which occurs when a user unknowingly visits an infected web site and malware is downloaded to the computer.

It also notes the observation of newer methods of ransomware infection such as vulnerable web servers that have been exploited as an entry point to gain access into an organization’s network.

The alert explains how a financially successful ransomware attack in 2012 likely led to the proliferation of variants. “In 2012, Symantec, using data from a command and control (C2) server of 5,700 computers compromised in one day, estimated that approximately 2.9 percent of those compromised users paid the ransom. With an average ransom of $200, this meant malicious actors profited $33,600 per day, or $394,000 per month, from a single C2 server. These rough estimates demonstrate how profitable ransomware can be for malicious actors.”

That attack led to new and more destructive variants of ransomware in 2013, and by early 2016, a new variant called Locky was found to be infecting healthcare computers in the United States, New Zealand and Germany. Another new variant, Samas, also is being used to compromise healthcare networks.

The alert offers the following seven preventive measures that organizations can take:

• Employ a data backup and recovery plan for all critical information and perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. “Ideally, this data should be kept on a separate device, and backups should be stored offline."
• Use a list of approved applications to help prevent malicious software and unapproved programs from running. This approach--application whitelisting--is one of the best security strategies because “it allows only specified programs to run, while blocking all others, including malicious software.”
• Keep updated with the latest patches for computer operating systems and software as that “greatly reduces the number of exploitable entry points available to an attacker.”
• Maintain up-to-date anti-virus software, and scan all software downloaded from the internet.
• Restrict users’ ability, through the use of permissions, to install and run unwanted software applications.
• Avoid enabling macros to run from email attachments.
• Do not follow unsolicited Web links in emails.

Read the alert.