On October 28, 2020 the Cybersecurity and Infrastructure Security Agency (CISA) issued alert AA20-302A as a joint alert from CISA, the FBI, and the Department of Health and Human Services (HHS) regarding ransomware activity targeting the healthcare and public heath sectors in the United States. The potential attacks are coming at a time when the number of COVID-19 cases is accelerating and has the potential to seriously disrupt healthcare delivery across the entire US. The perpetrators appear to be solely motivated by money, with early reports indicating that ransoms in excess of $10MM US dollars will be the norm.
A Growing Problem
Ransomware has increased significantly over the past 18 months, with schools, government facilities, and hospitals being hit especially hard. A total of 59 U.S. healthcare providers/systems have been impacted by ransomware in 2020, disrupting patient care at up to 510 facilities. In September of this year, two events occurred in the healthcare industry that illustrate the seriousness of these attacks:
A ransomware attack on hospital chain Universal Health Services disrupted operations at 250 healthcare facilities, forcing doctors and nurses to resort to handwritten record-keeping. Lab results were slowed down, and employees reported chaotic conditions impeding patient care, including mounting emergency room waits and failing wireless vital-signs monitoring equipment.
In Duesseldorf, Germany, an IT system failure forced a critically ill patient to be routed to a hospital in another city. The patient died en route, becoming the first documented casualty attributable directly to a ransomware attack.
One month earlier, Watertown Samaritan Hospital in Maine suffered a malware attack that took all its systems offline. Full restoration of their systems was not completed until the first week in October – 10 weeks after the event.
As of November 1, at least four healthcare institutions have been reported hit by ransomware so far: three belonging to the St. Lawrence County Health System in upstate New York and the Sky Lakes Medical Center in Klamath Falls, Oregon. Sky Lakes confirmed the report, and said it had no evidence that patient information was compromised. They also reported that emergency and urgent care “remain available.”
The warning by the FBI and CISA does not necessarily mean that healthcare facilities or others are not already compromised. Cybercriminals often load the malware weeks before activating it, waiting for moments when they believe they can extract the highest payments. In many cases, the malware creates scheduled tasks that run frequently to ensure that it remains active on the system.
Hospitals may not realize such theft has taken place if they only review events in proximity to the ransomware activation. The criminals may have spent days or weeks inside network before the ransomware is activated. During this period they will very likely spend time:
Mapping the network so they can attack as much of it as possible
Finding sensitive data and stealing it
Elevating privileges
Creating new accounts as backdoors
Installing “grey hat” penetration testing tools used for attack
Disabling key components of internal security software
Carrying out small “dry runs” with various malware samples to test attack techniques
Identifying and wiping online backups
Establishing the optimal time to execute the malware to inflict the most damage to the organization
Criminals take the time to search through online files, locating the most sensitive and valuable data – business plans, financial accounts, internal emails, personal information about patients and employees, data covered by regulations such as GDPR, HIPAA and so on – essentially, anything that could be damaging to the business deeply if it were to leak out. This can then be used to further extort the business by threatening to disclose or sell the information if the ransom is not paid. In many cases, the data will be sold regardless of whether the ransom is paid or not.
CISA, FBI, and HHS do not recommend paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. It may also be considered illegal, according to the Treasury Department’s Office of Foreign Asset Control, who stated that facilitators could be prosecuted even if they or the victims did not know the hackers demanding the ransom were subject to U.S. sanctions. This particularly applies to consultants who help organizations pay off cybercriminals. Cybersecurity firms that have recently begun to specialize in facilitating payments may be required to register as money services businesses if they help facilitate ransomware payments.