By Dr. Wesley McGrew, Senior Cybersecurity Fellow
The Cybersecurity and Infrastructure Security Agency, the FBI, and the Department of Health and Human Services have provided the industry with information about ransomware campaigns that target organizations in the Healthcare and Public Health Sector [https://us-cert.cisa.gov/ncas/alerts/aa20-302a]. The report provides technical information about ransomware that malicious operators are using to leverage our reliance on healthcare systems—essentially threatening our safety and good health for profit. While the tactics used in these ransomware campaigns are not unique, they reflect the current evolution of ransomware in terms of strategy and tactics for profiting from compromised systems and networks. The targeting of healthcare shows a lack of “honor among thieves” (which we should have never expected) and a lack of fear of attribution and consequence that would otherwise cause the attackers to show some discretion.
Ransomware can be spread through automated means, using unpatched vulnerabilities in victims’ systems and networks. This was how WannaCry had such a significant impact in a relatively short period. Complete automation may not be the most effective path to profit for ransomware operators, however. Ransomware in the past infected systems at random and asked for small payments that did not vary from victim to victim. Cryptolocker’s $300 ransom was significant to an individual with personal files on home computers but was not a serious concern to larger organizations. In this older scheme, profits were made by operators in bulk, unattended.
More modern ransomware schemes involve manual interaction with the initial infection and negotiation with the victim. With a human-driven approach to attack, the ransomware operator can leverage vulnerabilities unique to the target organization, targeted open-source intelligence analysis, and direct interaction with victim employees via email, web, and phone to gain a foothold in the organization. Simple patching and good cyber hygiene are not enough to stop these motivated attackers. During the process of exploitation and attackers’ post-exploitation activity in target networks, the ransomware operators will gain a good understanding of what they should ask for in terms of a ransom amount. Modern ransoms ask for the largest sum that the target is likely to stretch to pay.
Whether or not the ransom is paid, the time between an infection becoming apparent and resolution of the ransomware attack is an expensive one—in most cases far exceeding the ransom amount itself. Operations are disrupted due to data being unavailable. Mistakes made in the programming of ransomware and attacker-provided tools for decrypting can result in lost encryption keys and corrupted data. Productivity, revenue, and public perception will suffer. Ransomware attacks trigger internal incident handling and investigation processes, which tie up employees and resources or incur large expenses paid to third-party specialists. Even in the best case, with backups of data preventing the need to negotiate with the attackers, significant effort must be put into protecting that data and safely bringing operations back online without opening the organization up to an identical attack. In hospitals, patient information and logistical information about hospital resources can be made more difficult to access, and the availability of information systems and physical equipment may be impacted as well, directly impacting the safety and health of patients.
The Computer Fraud and Abuse Act, as amended by the Patriot Act, calls for enhanced penalties of up to 10 years in prison per count when the criminal activity poses a threat to public health and safety. The penalties double again for recklessly causing injury. This can be extended to life in prison if the attack recklessly causes death. Presidential Policy Directive 21 defines healthcare and public health as sectors of national critical infrastructure. From the local area to the federal level, our economy and national security rely on our ability to provide a medical response to terrorist attacks, natural disasters, and outbreaks of disease, such as what we are currently experiencing in the COVID-19 crisis. Investigation of cyber-attacks on this infrastructure should be a priority, and the consequences faced by the attackers (and anyone enabling them) should be severe.
Ransomware attacks against hospitals are a concern for all of us. While much has been said in the information security community about the unethical nature of these attacks (and I agree), we, unfortunately do not have much control over the moral decisions of criminal actors that attempt to maintain anonymity and are driven by profit and disruption. The response to them should involve both the private sector and the government. Investigation and dissemination of collective intelligence will be critical in preventing further attacks and identifying the sources of these attacks. Healthcare organizations should internally institute solid data backup processes, as well as incident handling and recovery procedures that are enhanced by solid relationships with trusted partners in information security that can test networks ahead of an attack, and enact solid procedures that rely on backups in the event of an incident. Our hope is that enough evidence can be collected and acted upon to make life miserable for those who would carry out these attacks and make other ransomware operators think twice about targeting critical infrastructure.