Empress EMS (Emergency Medical Services), a New York-based emergency response & ambulance service provider, recently disclosed a data breach that exposed customer information.
According to the notification, the company suffered a ransomware attack on July 14, 2022. An investigation into the incident revealed that the hacker had gained access to Empress EMS’ systems on May 26, 2022. About a month and a half later, on July 13, the hackers exfiltrated “a small subset of files,” a day before deploying the encryption. The details of the attack describe a standard double-extortion ransomware incident where cybercriminals steal files, encrypt systems, and then threaten the victim to publish the data unless a ransom is paid.
The company did not mention the group responsible for the attack, but it is suspected that it is the Hive ransomware gang. Researchers have been able to verify that Hive published data after checking historical dark web data from cyber-intelligence firm KELA.
Analyst comments:
Empress EMS informed the U.S. Department of Health and Human Services that 318,558 individuals were affected by this incident. However, there are concerns that more people might be impacted. The notice explains that even those who haven’t received a letter (but can confirm they used Empress EMS’ services via healthcare statements,) should contact the firm by October 9, 2022 to benefit from credit monitoring services. Empress EMS states it has strengthened the security of its systems and protocols to prevent similar incidents from happening in the future.
Mitigation tips:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested & that they're not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly
This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk- based assessment strategy to drive your patch management program.
Test your incident response plan
There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check your security team's work
Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks
There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.
Train employees
Email remains the most vulnerable attack vector for organizations. Users should be trained how to avoid and spot phishing emails. Multi Factor authentication can help prevent malicious access to sensitive services.
Reach out to ThreatAdvice for help evaluating your cybersecurity posture and data breach prevention strategies.