Monitoring of Ransomware Practices Needs Improvement According to GAO

The Government Accountability Office (GAO) has discovered that many federal agencies that deal with risk for critical infrastructure sectors have evaluated or intend to monitor risks related to ransomware, however, they have not measured the usage of top cybersecurity practices nor established if federal support has efficiently handled risks in critical infrastructure industries. Ransomware attacks have grown in the last couple of years and companies in critical infrastructure sectors are being greatly targeted. Based on the Department of the Treasury, the overall value of ransomware attacks in America hit $886 million in 2021, higher by 68% compared to 2020. A lot of the attacks were on healthcare companies and have adversely impacted patients by creating delays in diagnosis and treatment.

As per the Federal Bureau of Investigation (FBI), 870 critical infrastructure organizations had been impacted by ransomware attacks in 2022. About 50% of those attacks were on 4 critical infrastructure industries – energy, critical manufacturing, transportation systems,
and healthcare and public health. In February 2022, the National Institute of Standards and Technology (NIST) created a system for handling ransomware risk, which could be employed by companies to determine and prioritize opportunities for enhancing security and toughness against ransomware attacks. It is unclear if NIST’s recommended security practices to fight ransomware were enforced throughout critical infrastructure sectors.

GAO performed research to evaluate federal agency endeavors to supervise sector usage of primary federal practices and assess federal agency endeavors to evaluate ransomware risks and the efficiency of the assistance they have given. GAO examined the records associated with the reporting, risk analysis, and mitigation practices and made a comparison with NIST’s guidance on cybersecurity, particularly ransomware. GAO discovered that the evaluated Sector Risk Management Agencies (SRMAs) lack reliable information on the scope to which the NIST suggestions were applied, and until that time that they have that information, the White House’s objective of enhancing critical infrastructure’s toughness to resist ransomware threats is going to be harder to realize.

The majority of the SRMAs evaluated by GAO had already examined or planned to have a look at the risks of cybersecurity threats for example ransomware for their particular industries, as demanded by law, yet only 50% of the agencies had examined aspects of the support they offered in their particular industries and none had completely evaluated the efficiency of that support. GAO has given 11 recommendations to the Department of Health and Human Services (HHS), Department of Energy (DoE), Department of Transportation (DoT), and Department of Homeland Security (DHS). GAO advised the Secretaries of the HHS, DoE, DoT, and DHS to work with the Cybersecurity and Infrastructure Security Agency (CISA) and find out how their industries are taking on top cybersecurity practices to fight ransomware. They must also create and employ routine assessment procedures that gauge the performance of federal support in helping to minimize the risk of ransomware in their industries.

The HHS approved the recommendations and is convinced that it meets one of the suggestions, as it performed a preliminary assessment of the sector’s use of cybersecurity practices via previous efforts, for example, its April 2023 Hospital Resiliency Landscape Analysis study to determine the use of proposed cybersecurity strategies in hospitals, and it has designed a Risk Identification and Site Criticality Toolkit. GEO identified the steps that were taken but stated the HHS is not monitoring the sector’s use of particular practices that minimize ransomware risk, as a result, its advice still stands.

Senator Angus King (I-ME), a member of the Senate Armed Services (SASC) and Co-Chair of the Cybersecurity Solarium Commission and and Intelligence Committees (SSCI), together with Senator Marco Rubio (R-FL) introduced the Strengthening Cybersecurity in Health Care Act. This Act aims to help the HHS and its cybersecurity protocols and practices to fight changing cyber threats.

Many of Maine’s major healthcare companies encountered cyberattacks in recent years. This problem in America’s critical infrastructure is serious. Steps must be taken to improve the cybersecurity of the healthcare and public health sectors. The Strengthening Cybersecurity in Health Care Act could help make sure that health organizations have the means to maintain the safety of patient data. As the number of threats keeps on growing, constant assessments will be important to the medical community.

The Strengthening Cybersecurity in Health Care Act mandates the Inspector General of the HHS to assess the cybersecurity practices and requirements of the HHS. Once in two years at least, cybersecurity evaluations and penetration tests must be performed on HHS IT systems, and biennial reviews must be given to Congress on the present cybersecurity procedures at the HHS and its development of future security procedures.

Free Rhysida Ransomware Decryptor

Healthcare companies that were not able to retrieve encrypted files in Rhysida ransomware attacks can now use a free decryptor to retrieve the files. The Rhysida ransomware-as-a-service operation appeared in May 2023. Just like a lot of ransomware groups, attacks were executed on U.S. healthcare companies. In August 2023, after the healthcare and public health sector encountered attacks, the HHS’ Health Sector Cybersecurity Coordination Center released an advisory concerning the group. In November, the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a joint cybersecurity advisory and provided indicators of compromise and mitigations.

Companies that cannot stop attacks and opted not to pay the ransom can already recover their encrypted files. Experts in South Korea discovered an encryption vulnerability in the encryptor employed by Rhysida ransomware, which has permitted them to create a Windows decryptor. The random number generator (CSPRNG) utilized to create a unique private encryption key was problematic, which enabled them to find out the preliminary state of CSPRNG at the time of an attack. Because the method employed does not come with high entropy data sources, the seed value employed during file encryption is predictable. Being aware of the preliminary CSPRNG state and then going over records and other information during the infection permitted the researchers to get the seed value range. The decryptor tries probable seed values until the right value is found and after that, all random numbers can be determined to use for file encryption and retrieve all locked information.

An automatic decryption tool was created and was provided for free on the Korean Internet & Security Agency (KISA) website together with a technical report in English and Korean that details the use of the decryptor. The decryptor could only be employed to retrieve files that were encrypted utilizing the Rhysida Windows encryptor. Many cybersecurity organizations had already discovered the vulnerability and could retrieve Rhysida encrypted files. Sadly, since the vulnerability was announced to the public, the ransomware creator will probably correct it. When that occurs, recovery of files can only be through backups or by ransom payment.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at