Blog Malware’s Newest Disguise: The Humble Resume

March 8, 2017 Category: Threats By: Alon Nachmany Comments: 1

Malware’s Newest Disguise: The Humble Resume

  • Ransomware use goes back to the 1980s when developers and programmers, afraid that they would not be paid, sometimes inserted “time bombs” into the code.
  • Ransomware plays a role in the insidious new trend where cybercriminals are targeting healthcare organizations through the use of an unsuspecting accomplice.
  • What started with 256-bit encryption has now reached 2048-bit. To decrypt this, it would take an extreme amount of computing power that could take days or weeks to complete.

Conceal me what I am, and be my aid for such disguise as haply shall become the form of my intent.” ― William Shakespeare, Twelfth Night

The Scenario

Jennifer is an office manager for a busy medical practice. She arrives to work all set for a productive day. As she does each morning, she checks her email. Today, one references a position she has been tasked to fill. As expected it contains an attachment labeled “resume.” She clicks to open the attachment like normal. However, this time nothing happens.

“That’s curious,” she thinks. But being a responsible employee, Jennifer types a quick reply. “I have received your email, but was unable to open your resume. Please advise or resend the attachment.”

In short order, Jennifer receives a reply with a brief explanation.  Certain actions need to be taken for the attached file to display correctly. The request seems reasonable to Jennifer. She is happy to help, as the email explained —this was a security measure.

Watch: Virtualization-based security kills ransomware in 90 seconds.

A few minutes later, the office manager is shocked to see the following message appear on her desktop.

“IMPORTANT INFORMATION,” it reads, “all your files are encrypted with RSA-2048 and AES-128 ciphers.”

The message, which has now somehow replaced her computer’s wallpaper, is direct to the point. The entire computer system including any connected devices, and critical patient data, as well as all networks and communications, are at risk —-unless tens of thousands of dollars are paid. She reaches for her phone to dial her supervisor. But while she waits for a response, the attack is spreading throughout the business. Jennifer’s employer is a victim of ransomware. They are a part of the insidious new trend wherein cybercriminals are targeting healthcare organizations through the use of an unsuspecting accomplice.

Ransomware: A Brief Overview

Ransomware use goes back to the 1980s when developers and programmers, afraid that they would not be paid, sometimes inserted “time bombs” into the code. When activated it would, in effect, lock the system until which time they were paid and removed the restrictions, or frequently, someone else was hired to do so. That evolved into a litany of ransomware that has continued to evolve, each iteration becoming more sophisticated and complex. Today’s ransomware is more than a basic program. Modern Trojan viruses or malware software can contain an entire platform, complete with its own APIs and services.

Encrypting Ransomware

Though there is a non-encrypting variant, the type of ransomware that is plaguing hospitals and healthcare is a particularly nasty type of malware that gains control of your data, systems, and processes by encrypting each file. Here are a few facts about new encrypting ransomware.

  • What started with 256-bit encryption has now reached 2048-bit. To decrypt this, it would take an extreme amount of computing power that could take days or weeks to complete.
  • Encryption is a process —it takes some time to complete.
  • It isn’t just local —it can encrypt your entire business network.
  • Modern ransomware is implemented using an automated workflow.
  • Beginning to affect the IoT-enabled devices and smart devices.
  • Rarely medical devices have been encrypted.

The threat to your data could be;

– random, encrypting anything in its path;

– targeted, encrypting specific operating systems, computing devices, or platforms; and

– holistic, a combination of both.

Methodologies of Ransomware Criminals

Increasingly, these organizations are highly motivated, competent, and efficient at what they do. They use a method similar to the military. They do intelligence gathering, they plan, infiltrate, and then exfiltrate.

They have done the due diligence necessary to identify high-value targets, and within their target’s business, they know exactly what data is integral to day-to-day operations. They use fear as the primary motivator, and their only goal is to be paid. Simply put they do not care that lives are at stake, but they know that you do.

Cyber Attack’s Impact on Healthcare

In 2016, hospitals across the US and Europe were victims of a rash of cyber attacks involving ransomware. These events include three hospitals in England. While little of the specifics on the attacks are known at this point, Northern Lincolnshire and Goole National Health Services Foundation Trust (NLAG) confirms that their attack was the result of the Globe ransomware, utilizing the Blowfish cryptographic algorithm to encrypt the files of hospitals and several smaller providers in the region. It is estimated that 2,800 operations were canceled over a period of several days –as NLAG was forced to cease much of their services.

When a hospital or practice is hit, it must immediately shut down its network operations to prevent the encryption from spreading. This means healthcare professionals will not have access to email or be able to quickly schedule patient visits or surgeries. Often hospitals must revert to paper records for communication and scheduling. Many services are forced to shut down.

It isn’t the devastating business and financial consequences associated with security breaches that are the main issues here. In healthcare, the prospect of having to shut down for any reason is not only a disaster to the organization but presents a particularly dangerous scenario to the public, as well.

How Can Hospitals Protect Themselves Against Attacks?

After a malware attack occurs, often the simplest and most frequent response is to pay the ransom. So far, this has proved successful in quickly regaining control over their system. However, this does nothing to prevent another attack.

Experts recommend a multi-tiered approach for practices, hospitals, and medical centers to consider when preparing an emergency response plan for cyber attacks.

User training – training employees on exactly what to look for in suspicious emails and attachments as well as, a detailed plan of response once an attack has ensued.

Incident detection, prevention, and response – IT managers must ensure that these robust systems are in place and effective to the most modern technology and attack methodologies.

Backup and recovery – This is crucial. Back-up must be automated, frequent, and thorough. Restore points should be set and monitored, as encryption techniques used by ransomware and other cyber attacks can begin by encrypting backup files slowly over time.

Breach determination – Employees are often frightened and believe that they have done something in error. Not understanding the significance they may delay reporting of ransom messages or other indicators. This means that having continuous cloud-based network monitoring is a necessary cost base for your organization.

Virtualization-based Security (VBS)- When Bromium partnered with Microsoft last year, they used micro-virtualization to vastly improve endpoint security for Windows. Additionally, when using Bromium’s patented micro-virtualization, IT teams have the ability to fully automate the protect-detect-respond cycle, reducing costs and increasing efficiency.

Are Endpoint and Document Protection Helpful?

As criminals continue to find new and improved methods of exploiting both humans and system weaknesses. It is virtually impossible to predict what they will do next, regarding their ability to socially engineer their way into our systems. In this case, the old military adage remains true; “The best defense is a good offense.”

In the ideal world, you would have layered defenses. Approaching each layer from the application stack, the physical layer of every device, and the individual document as well. So, end-to-end, each device would have its own defensive mechanisms and its own protections.

Through the use of a Micro-Virtualized Machine or uVM, you can have just that type of end-to-end protection. Bromium’s patented technology, for example, protects your system from harmful malware by opening your documents in uVM. Because you are opening attachments in an isolated —virtual environment, there is almost no risk to your local network even if an infected attachment is opened and activated.

There is no need to worry about losing functionality either. From within Bromium’s uVM environment, the user can view, edit, and save the file without risk. You can even copy and paste from it without fear of spreading a virus into other documents.

Furthermore, running in uVM allows the Cyber-Security staff to collect relevant data and metrics about the attack which can assist in identifying the attackers, and in preventing future attacks.

Consider the Scenario

If Jennifer, the dutiful medical office manager had been using Bromium with document protection enabled, the harmful malware would have been quickly contained, and the nightmare that followed would have never occurred.

About the Author


Alon Nachmany
Solution Architect / Field Manager at Bromium

Recent Posts

2017-03-08T06:00:53-07:00March 8th, 2017|Threats|

One Comment

  1. Avatar
    Andrew Wolfe March 14, 2017 at 5:41 am - Reply

    Only Windows have ransomware attacks. GET RID OF WINDOWS. While proofs of concepts have seemed possible for Mac and Linux, the attacks haven’t even been seen let alone succeeded.

Leave A Comment

See Bromium in Action

Request a demo and see how Bromium isolation will put an end to malware and attacks once and for all.

Request a Demo

By continuing to use the site, you agree to the use of cookies. More information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.