A once-in-a-century pandemic has upended countless aspects of our lives, jobs and economy. As much of the world grapples with a third wave of COVID-19 this winter, inundating hospitals and health organizations, another threat actor is upending businesses, governments and hospitals: ransomware.
Of course, ransomware is nothing new. The IAPP ran a four-part series on it back in 2016, but, according to a recent U.S. government interagency report, since 2016, there has been a 300% increase in incidents, with nearly 4,000 daily ransomware attacks. To pile on, according to research from Check Point, daily ransomware attacks increased 50% in the third quarter of 2020.
Notably, attacks against hospitals are up. The same Check Point research found that the U.S. health care sector is the most targeted globally.
The U.S. Department of Health and Human Services together with the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency found evidence of an "imminent cybercrime threat to U.S. hospitals and (health care) providers."
Why the rise in attacks against health care organizations? Well, for one, many use outdated systems and are ripe for leveraging payment, especially when the ransomware affects critical systems upon which lives depend. Because of that, threat actors see hospitals as an opportunity for easy money.
This rise in attacks is something Stephen Reynolds, CIPP/US, and his team of attorneys at IceMiller have seen first hand. Lending to the rise in attacks, he suspects, is another side effect of the COVID-19 pandemic: More people are working from home, which increases the threat vector for employees and their organizations. Plus, organizations — also because of the pandemic — have been forced to alter their business structures, which can increase the vulnerability of IT departments due to budget cuts and staffing shortages.
Reynolds said threat actors often do their homework. He's found that monetary ransom demands often come in close to the cyberinsurance coverage amount of the targeted organization. Typically, he said, the adversary leaves a ransom note, but sometimes it takes time to get the amount demanded. "My thought is that this is because they (the adversaries) are so busy," he said.
"Threat actors are doing this at scale," IceMiller's Guillermo Christensen said. "When I get involved, I'm not just helping the company with the incident response; I counsel on what is the best way to deal with the threat actor in negotiating the ransom and what the prospects for restoration are versus paying for the encryption keys."
Christensen knows about negotiating with online threat actors and particularly organized criminal groups that operate as sophisticated networked operations. He served as an intelligence officer for the Central Intelligence Agency, including helping to set up teams at fusion centers around unconventional threats. In those roles, he regularly worked to analyze how threat actors such as today’s ransomware groups operate and this helps him to counsel clients on the real world options for negotiating a ransom.
When Christensen first got into the ransomware world, he said the criminal activity was much less organized, but now the criminal enterprise is run like a business at scale. He and Reynolds said adversaries sometimes even have fully functioning call centers.
Negotiations have another tricky layer, Christensen explained, noting that adversaries may be sanctioned by the U.S. government. For example, North Korea may use money from ransomware attacks to sustain its government. Terrorists may also use cryptocurrency payments for self-funding. Under the U.S. Treasury Department's Office of Foreign Assets Control, it can be illegal for companies to exchange money to specified entities in a ransomware incident.
Christensen said the OFAC is primarily focused on pressuring countries like Iran, for example, from giving up programs to develop nuclear weapons, but now ransomware is on its radar, as well. If the adversary is on the OFAC list, or the attack is attributable to a group operating out of North Korea, for example, Christensen expects that insurance companies and banks increasingly will block payment or ask questions around the destination of the funds that will be difficult to answer in the compressed timeline of a ransomware event.
Regardless of the OFAC risk, Christensen and his team at Ice Miller work hard to negotiate the demand down, noting he recently assisted a client to reduce the payment by more than $3.5 million. (As a side note: Since payments are usually conducted with bitcoin, such massive payments can affect the value of bitcoin in the marketplace.) A key part of this process is working with law enforcement, typically the FBI, before and after the ransom is paid.
To be sure, perpetrators of ransomware are not susceptible to sympathy-building. Christensen said, "Lots of negotiators act as if it's a live hostage situation, but I can assure you, there is no rapport-building with Russian criminals. They are brutally cold about this being a business and they are not swayed by sob stories or inability to pay – in fact they often know the company’s financial situation very well or whether there is an insurance company backstopping the payment. Playing games with them that way is a good way to deep six the negotiation."
The other question that often comes up when deciding to make a ransom payment is whether the adversary will decrypt affected systems or keep a "Trojan" embedded for future extortion. Reynolds said it's ultimately a business decision. He said he has yet to see an incident when an adversary didn't hand over the keys after payment. "For them, it's a business, too, and they aim to build up their own reputations." He said in one case, an adversary used one of Reynold's clients for a referral.
When an incident does take place, Reynolds said there's a process to pay attention to. First, stop the bleeding, but he notes, don't turn off affected computers. "You want to preserve as much data as possible to help see what's being done to the systems when the adversaries are in there," he said. Sometimes companies decide to shut down their system, which, upon reboot, can erase valuable log information. Plus, he said, regulators often want to see such information.
Next, companies need to think about their messaging and communications, both internally and externally. What will you say to media inquiries, for example, and what will you say to staff?
They also need to determine whether insurance will cover the incident, though this can be tricky if systems containing relevant insurance information are compromised by the incident. Reynolds said internal communication can also be a challenge if email is down. He said he's often communicating with clients via text, which can be difficult. Ultimately, it's important to have a communications strategy set up.
Affected companies will also want to assess any contractual notification requirements with vendors, which often needs to be done within the first 24 hours. And, of course, be ready to follow state data breach notification obligations, as well.
Though it may be difficult, Reynolds stressed the importance of documenting all in a post-incident response. This will help when working with regulators and law enforcement and can inform future responses to ransomware, as lightning in this space certainly can strike more than once.
"Have a meeting and talk about what happened," Reynolds said. "What went right and what went wrong?" He points to the little things, too, like how will you pay vendors if your financial system is down? How will you communicate with staff if email is down?
And unfortunately, as we head into the holiday season, ransomware events tend to take place on weekends and holidays, so be sure staff is adequately trained to avoid suspicious phishing emails.
In addition to preparing an incident response plan, Reynolds also said simulations and table-top drills can be a valuable prep tool. "Everyone should be doing this," he said, "especially in the health care industry. I've found companies that have done this have improved outcomes and responses."
Outside of the business concerns, ransomware incidents "can take a human toll," Reynolds warned. "They can be exhausting and morale-killing." Preparation will help.
Here's a fact sheet from the U.S. Department of Health and Human Services on ransomware and the Health Insurance Portability and Accountability Act.
Photo by Wonderlane on Unsplash