Industry Trends

DMA Locker 4.0: The Next Threat to Healthcare?

By Ryan Edwards | May 27, 2016

Lately, healthcare has been making headlines due to an onslaught of ransomware attacks from viruses like TeslaCrypt and CryptoWall. As a result of many lucrative successes in extorting ransom payments, the industry has been rightly named the number one target of cyber criminals by several research groups. And it doesn’t seem to be slowing down. Cyber criminals are looking to profit off of the traditionally soft target healthcare has presented due to its general lack of highly secure network and data center architectures. 

According to a malwarebytes researcher named Hasherezade, the DMA Locker virus is returning and it appears bigger and more dangerous than ever. This seemingly complex and extremely dangerous strain of ransomware is being delivered using the popular Neutrino exploit kit, and may reach massive scale very soon. DMA Locker is a ransomware type virus that encrypts local drives and network shares. Many of its features are being automated while using off-the-shelf exploit kits. Version 1.0 of the virus was fairly benign and never really caused much of a concern to anti-malware companies like Fortinet, who first revealed an effective defense in January, 2016 (W32/CQDP.BXP!tr). This latest version of the virus is primed to deliver a new wave of ransoms targeted at the healthcare industry, especially following the recent defeat of TeslaCrypt, whose owner recently did an unusual thing by publicly revealing their master key. 

Research has shown that most of the flaws in the original DMA Locker appear to be fixed, and it may be used for widespread attacks very soon. Malware distribution is based on web-based drive-by download attacks, and has the potential of reaching a very large number of computers. Once infected, the virus’ routines use remote command-and-control servers to generate unique and very strong encryption keys, rather than storing them locally as before. Reverse engineering the encryption is not possible at this time. Now, decryption will require a unique corresponding private key that must be purchased from the attacker in order to gain access to the encrypted data. Which means that repeat infections will generate additional ransom demands.  

Unfortunately, traditional perimeter security solutions are increasingly ineffective as networks become more and more borderless. This is especially true in healthcare environments, where network connectivity is distributed across thousands of PCs, laptops, tablets, medical devices, patient monitors, and applications – many of which lack any security defenses altogether.

Healthcare organizations can prevent infections of viruses like DMA Locker by implementing advanced security solutions that are up to par with the latest developments in cybersecurity. While comprehensive data backup policies and procedures should definitely be in place to help recover from a breach, sophisticated threat solutions such as internal segmentation firewalls (ISFWs) should also be implemented to prevent the proliferation of threats once they get inside the network, and stop the damage before patient data can make it to the exit. 

As an example, a modern security solution should be able to block the drive-by download method for viruses like DMA Locker before they have a chance to reach the desktop and initiate damaging encryption routines, no matter where the node is located within the network topology. 

For now, healthcare companies must brace for impact while simultaneously continuing efforts to ramp up security controls from viruses such as DMA Locker. It is vital to seek education on current trends in cyber warfare and initiate conversations with security vendors to help shorten the learning curve.