Two weeks ago Minerva Labs introduced its innovative Minerva Anti-Evasion Platform to the healthcare industry at the Health IT Summit, Boston 2016. During the last couple of decades, the healthcare industry went through an end to end transformation – integrating advanced computer solutions almost in all of their services.
Unfortunately, cyber-criminals are always looking for new opportunities – and this sector became a prime target for them as the FBI warned in a Private Industry Notification back in 2014. This alert was not in vain, as the incidents described below proved later in 2015 and 2016.
Ransomware Targeting a Medical Center
The Hollywood Presbyterian Medical Center experienced a ransomware attack last February, possibly the first attack of this kind against a medical facility. The hospital’s CEO surrendered to the ransom demand and paid a “”mere”” $17,000 in bitcoin. Luckily, the hospital regained access to the encrypted files soon after the transaction was completed, and resumed normal operations. We can only imagine the potential damage if they weren’t able to restore the files – causing not only direct financial losses to the hospital but also a possible threat to patients’ lives, preventing access to their medical files in critical, time-sensitive, conditions.
Sophisticated APTs and POS Scrapers
Although ransomware is a hot-button issue nowadays, we should keep in mind it is just one “”flavor”” in the current threat landscape. Many other severe risks for the healthcare industry are out there. The super-sophisticated Andromeda APT is a great example for such a threat. This state-of-the-art malware, capable of anything from simple data exfiltration to deploying customized modules, has hit the healthcare industry “”14 times more than the average industry“” as a report by Raytheon mentioned. TrendMicro’s researches unveiled a possible reason for the intensity of the attacks – a point-of-sale (POS) scraping module Andromeda is able to deploy if it reaches such a device.
Minerva Anti-Evasion Platform Benefits
In order to bypass modern security solutions malware often implements “”evasion techniques””, testing if it is executed inside a sandbox or if high-end security solutions are present. Minerva’s innovative technology makes the malware “”believe”” it is executed in such hostile environment by simulating thousands of artifacts searched by environmentally-aware malware.
Andromeda for example checks prior to the execution of its malicious modules if the environment is safe by checking a blacklist of over twenty “”bad”” processes. If any of these processes are present it means that the sample landed on either a sandbox or a security researcher’s machine – where it should avoid malicious activities. This is the actual list of blacklisted processes as published by the security researcher Jose Miguel Esparza:
Minerva’s solution simulates all of those processes, and many others – causing Andromeda to halt its execution without any damage to the victim. You may also see how malware authors enhance the evasiveness of their “”product”” by continuously adding more and more blacklisted processes – thus, making our job even easier. All we need is to simulate a single process as the malware will terminate if any one of them is present. We were able to obtain eighteen Andromeda malware samples, disguising as a software related to a large vendor of practice management and electronic health record software. All of the samples immediately terminated when Minerva simulated them a threatening environment (see hashes in the IOCs section).
This behavior is typical to many strains of malware, including ransomware, however not all of the ransomware families are evasive. Seeing the devastating potential outcome of a successful ransomware attack we developed a module designed to remediate the damages of such an attack. It enables the ransomware victim to regain access to encrypted files with a single mouse click. This is achieved using our existing infrastructure and without relying on third-party software or the Windows Volume Shadow Copy Service as others do.
Minerva’s platform was developed in a way which is oblivious to the type of the executed malware – we simply wait for it to ask “”suspicious”” questions about the environment. This is yet another great advantage against any kind of malware, enabling our solution to prevent a wide variety of malware while consuming next to zero resources. We can handle anything: from windows executables to Java archives (jar) and even fileless malware snooping around for the presence of anti-exploitation products.
Lately we witnessed how important this feature is in “”the ransomware front”” as well. New ransomware families are using “”creative”” formats – like the recent RAA ransomware which was implemented in pure JavaScript. Other products chase trends like this while our innovative product enables us to prevent and remediate threats as the RAA ransomware without the need for frequent updates.
IOCs
Hashes (SHA256) of healthcare-related Andromeda\Gamarue malware samples:
b1f3f591114265a73bc7d7983bd914238fe16c1e7aa08d6ab173caae255da371
4b2746ae9df226664979bc2956ab01c4c67d951f3887488f44912f26dcc58932
2967c17787e3aab941d24df54c578f1db4821a6341d148697a10e34345cdf53d
f0c177323b9cfaf636de34b87f0d3f1ed6e26ae0192c255d6e001e9d25161311
37b1c8c393a376663ba28b0928c2fbf7dac2625c3b43a1d53b5444e135bb8664
e0b2091998d1ff4b5574f1a91e733b4a05bc666682bead0609be494ee968e042
6436d0bda8eadd7b1573d0af4b6bc36faeb306ea0fc36ba8075e89ee80bec16b
666b0f8b577fd834f07b905113e5555668ee992f98eb764d1ecae6b49538444e
d70e685e141411978109c4d5403c0acc74c8862b2cd6fb69f268961e189d4316
070ef8082b4807fe44ea6d04f5ac4d9cb8fc1a36da79329b79d4bec8a6974f84
cd143721bc8fb8186a26a1c9160cba1aaecb70eb428eb2d4c56121cfe5919c33
c3d2eeace65c62254280dedf30fcceef1f08aa671978dbf54b92b486ab720254
73cb2b641897c850232bc42a50f08b476bb67337bcbab6d4db03edf7441889f8
d7816a66f85efe69f8afde5cbe89c3fd165c3c3a3450a364be9060ebded24a99
277c824e79eeb8747ddf83e683adfda2a002535892ddca4eda090c69bbddb3c5
9f57bdafd80d29956a67aef7de41ccbf06a31c3bfebb3e68b5e052ff479aaeec
314a2e6743f654895fba87ba0c8b53a59e65a88b0393205c4bd11ca87dcb2f84
c2fac61f139eef5d3915cfb9b53343ebdb998eb1f87b9812e6f9e4a47af6c255t