April 20, 2017

Given the dramatic nature of cybercrime, it’s no surprise that Hollywood has been serving up a variety of plotlines and shows about hacking and cyber security. From Black Mirror to Mr. Robot, police procedurals and other dramas are teaching people just how dire cyber-attacks can be.

Now even ransomware is a TV star, courtesy of a recent episode of Chicago Med. The hospital on the show, Gaffney Chicago Medical Center, was brought down in a way that feels all too familiar; staff were locked out of patient records and couldn’t perform MRIs. The show even featured the classic conflict of one leader not wanting to pay the ransom and someone else paying up – secretly. Yes, it was a TV drama and it avoided the forensic details of a real-life attack, such as how the system was compromised or if the IT team searched out backdoor threats or implemented new tech to strengthen their security posture. But the basic premise was true - hospitals can’t afford days of downtime, which is why many pay up.

On average, more than 4,000 ransomware attacks have occurred each day since January 2016. 2017 numbers are expected to go far higher. So maybe it was inevitable to see a ransomware attack as a Hollywood plot. But did the episode actually teach anything useful?

As it turned out, it did.

Preparation is key.

The episode has a chilling moment when the surgeons check their monitors and see the normal patient imaging screen change to a ransom note. If you’ve ever lived through a ransomware attack, you know how that feels. It’s impossible to anticipate that moment. But you can mitigate the panic by preparing in advance. Using a great backup and disaster recovery solution can help you recover fast enough to thwart those demands for payment. Encryption, automated testing and redundancy can ensure your backups are always accurate and secure and that you can always keep your systems running even if attackers manage to penetrate your defenses.

A good plan saves time when it matters most.

On the show, the hospital leaders gather their staff to instruct them to operate under downtime procedures. In real life, this moment tends to get more complicated. How will you inform your staff of the attack? Do they know the right actions to take? Is the IT team trained in the failover process or will confusion weaken your defenses even more? Planning all of this out ahead of time can make the difference in a ransomware attack.

Ransomware repercussions can be fatal.

Chicago Med did a great job of showing how the attack forced the staff to rely on paper charts, track medications manually on whiteboards and cancel elective surgeries. For as much as we talk about security controls, encryption and other details, every ransomware attack has a human impact. When it comes to healthcare, that can affect patient lives – but ransomware can be dire for any business brought to halt.

The answer to ransomware is NOT paying the ransom.

Okay, the episode didn’t teach us this. In fact, it “solved” the problem in a way that doesn’t work in real life – after the hospital systems came back to life, we found out a surgeon secretly paid the ransom to protect “the continued integrity of our services.”

Reality check: paying a ransom can be like feeding a wild animal. You’ve just encouraged the attackers to keep coming back for more. There’s no guarantee you’ll get the right decryption key or that the attackers didn’t leave a secret back door for their next attack. Ransomware attackers aren’t one-hit wonders; they can come back again and again. And why wouldn’t they? You’ve shown that you don’t have the BDR power to fight them off. The only answer to ransomware is fast, secure recovery. That’s it. Once you’re hit, you need to quickly failover to a guaranteed replica of your environment. Only then will the attackers move on to a more vulnerable target – because you’ve shown you won’t be paying them a dime.