Network interference

Cyber expert weighs in on Enloe ransomware attack

William Caput organizes local hacking conventions, runs “red team” drills to test networks’ integrity.

William Caput organizes local hacking conventions, runs “red team” drills to test networks’ integrity.

Photo courtesy of William Caput

Learn more:
For more from the FBI on cyber attacks, go to ic3.gov. For more from Caput and local hacker events, go to norcon.io.

William Caput knows his way around online security systems. He can break through a firewall, get into a company’s server through an email phishing scheme and pinpoint exactly where the weaknesses lie. As an ethical hacker, however, he does so with protection in mind, to ensure the “bad guys” don’t get in.

But sometimes they do, as was evidenced last Thursday. “On the evening of Jan. 2, Enloe Medical Center’s network infrastructure was attacked with what is referred to as ransomware,” a hospital press release reads. “Essentially, data on the network was encrypted in a way that it was not immediately accessible by the hospital.”

Ransomware is actually a pretty common tool used by cybercriminals to extract money from companies, according to the FBI, which Enloe said it contacted in regard to its attack (an FBI spokeswoman declined to comment on any specific incidents). “Ransomware targets both human and technical weaknesses in organizations and individual networks to deny the availability of critical data or systems,” an FBI cybercrime site reads. “Ransomware is a simple and proven model that continues to yield profits for cyber criminals.”

Caput is intimately familiar with ransomware. In fact, he’s run test attacks—called “red teams”—on companies’ systems, including where he currently works, as assistant vice president of cybersecurity­–red team for General Motors. He got his start in the U.S. Marine Corps, where he learned encryption and eventually hacking. He calls himself an ethical hacker because he uses his skills to boost systems’ security against potential threats. Chicoans may be familiar with Caput from his local hacker conventions, held each spring.

“With a ransomware attack, they’ll typically get into the network through phishing emails to employees, then they’re going to spread the ransomware through the network and pull every password for every user, every firewall, they’ll pull everything,” Caput explained. “The ransomware will disable the system unless you get a decryption key. And it may cost $5,000 the first day, then $10,000 the second—it’ll get exponentially more expensive.”

In a perfect world, the target of such an attack will have protocols in place to disable the ransomware and get everything back up and running. As of Wednesday morning (Jan. 8), Enloe had no updates regarding its system or the attack, according to spokesman Joseph Page. He declined to answer any questions on the subject.

“The privacy and security of information in our possession is one of the hospital’s highest priorities, and we have strict security protocols in place to protect information in our care,” Kevin Woodward, Enloe’s chief financial officer, said in the hospital’s press release. “Upon learning of this incident, we immediately took steps to restore critical operating systems and ensure the security of our network. At this point in time, we have no indication or evidence that suggests patient medical data has been compromised.”

Caput said this is typical of a ransomware attack—unlike incidents that aim to collect credit card numbers, for instance, it’s not about getting personal data or identity theft.

“What they’re not typically going to do is look for patient records, or HIPAA information, and steal it,” he said. “The goal is money and another way back in if it gets shut down.”

Caput speculated that the attack on Enloe may have been performed by a country like Iran, Russia or Ukraine. It’s becoming more common, he said, for foreign adversaries to use cyberattacks.

“Warfare has moved from being conventional to being cyber,” Caput said. “Iran isn’t going to send an invasion force in; they’re going to steal our money, fight in the shadows.”

When it comes to protecting against threats to cybersecurity, the FBI suggests regular backups.

“It is important to note that even if a ransom is paid, there is no guarantee the business or individual will obtain their files from the cyber criminal,” its site reads. “To guard against the ransomware threat, we encourage businesses to schedule regular data backups to drives not connected to their network. These drives can be used to restore a system to the backup version without paying the ransom to the perpetrator.”

Companies and organizations the size of Enloe are particularly vulnerable, Caput said, because they lack the resources bigger corporations have to prevent them. For instance, updates to certain security features are released regularly, but they can be burdensome to install with a small tech team and a large network of computers. Cybercriminals look for holes to get in through.

“There was a major hospital in Atlanta, Ga., whose system was down for two weeks,” Caput said. “A police station in Florida was down for a week and a half. They had no contingency plan.

“With a hospital, patient care will suffer, employees will have to work double shifts.”

A study released in November by Vanderbilt University and University of Central Florida researchers found that hospitals that had experienced ransomware or data breach incidents had delayed responses resulting in more heart attack deaths.

Like any other potential incident, a cyberattack must be predicted and responses practiced, Caput said. He pointed to companies like GM or, locally, Build.com—where Caput used to work—that have sophisticated “disaster recovery” plans specifically in case of a network failure.

“The thing with the hospital is, we’re on the fourth day now and they still don’t have their system back up,” Caput told the CN&R Tuesday (Jan. 7). “That means their disaster recovery plan wasn’t up to par. Part of what corporations are supposed to do is plan for these types of incidents and not have any unknowns.”