The Ransomware Tsunami Continues Slamming Healthcare & Banks
2020 continues to dish out unforeseen difficulties and challenges, many at devastating levels. In the realm of cybersecurity, it’s been no different.
In January of this year, during research for a Cynet Breach Protection Report*, cybersecurity professionals were asked to rank threats according to perceived level of seriousness.
Ransomware is the second most feared threat – agreed upon by nearly three quarters of responders.
With just a handful more votes, the threat in first place was weaponized threats sent through email. It’s worth noting that ransomware may very well be one of the weapons delivered to victims via phishing emails.
The ransomware business has become increasingly lucrative, notwithstanding its illegal status. (See article Were It Not Illegal, Ransomware As A Service (RaaS) Would Be a Practically Perfect Business Model). Like a tsunami, ransomware can strike without warning and cause instant destruction. Malware infects computer systems and networks, encrypts data and then the ransomware operators step in to send ransom instructions and demands.
Healthcare and Banks Hard Hit
Ransomware first started getting attention with the WannaCry and NotPetya attacks in 2017. Those attacks garnered worldwide attention, striking and bringing down numerous companies within minutes. Prior to that, ransomware represented only a small portion of cyber crime.
The year 2019 brought a tremendous increase in ransomware attacks. By mid year, 40% of healthcare organizations reported having experienced at least one WannaCry attack in the preceding six months. And that was just WannaCry alone.
That same year, pharma company Merck announced it had been hit by NotPetya. By most criteria, WannaCry and NonPetya still rank in the Top 5, if not the Top 2 or 3, of most costly cyberattacks.
As ransomware attacks have been on the rise, healthcare entities have suffered attacks more than some sectors.
Some of the cyber attacks on healthcare and medical practices in the second half of 2019 include:
- October 17, Methodist Hospitals of Indiana, 68,000 patients hacked
- September 5, Providence Health Plan, 122,000 members
- August 28, American Medical Collection Agency, near 25 million, 23 healthcare organizations
- August 27, Presbyterian Healthcare Services, 183,000 patients and plan members
- August 5, Primera Blue Cross, over 10.6 million patient records, $74M settlement
- July 25, Park DuValle Community Health Center, paid nearly $70,000 ransomeware, data has been inaccessible since June 7
- July 19, Bayamón Medical Center and Puerto Rico Women and Children’s Hospital, ransomware attack on their information systems impacted 522,000 people
- July 17, Clinical Pathology Laboratories (CPL), 2.2 million patients
- July 11, Premera Blue Cross of Seattle, 10 million people, $10M settlement across 30 states
- July 10, 2019, Los Angeles County Department, 14,600 patients
- July 10, 2019, Essentia, Phishing attack through third-party vendor exposed data
- July 9, Vitagene in San Francisco, DNA testing service, 3000 user files unprotected AWS server
Attacks in Q1 of 2020 were continuing 2019’s high trends, but numbers have leveled off some since. Perhaps due to the attackers themselves, promising they would avoid attacking hospitals during the Covid-19 global health crisis. (See article Maze & Other Ransomware Groups Say They Won’t Attack Hospitals During COVID-19 Outbreak--But How Trustworthy Is Their Word?)
Personal Health Data Highly Desirable on the Black Market
Healthcare facilities dread ransomware’s tools of destruction, yet they find themselves to be prime targets. Selling personal information for the purpose of fraud and identity theft, including records on newborns and even patients who’ve died, is profitable. The ransomware model hunts coveted data and uses malware to get into the data systems. Once in, the malware encrypts the data, demands ransom and holds data hostage until the ransom is paid.
The more sensitive the data that’s being held hostage, the more desperate the organization is to regain its control. This is especially true given the HIPAA mandate all healthcare orgs must abide by in keeping healthcare data private. Healthcare records are considered very desirable and valuable in the Dark web’s black market. Healthcare organizations are also known not to have the strongest security and limited security staff.
Raising the stakes even higher, many ransomware operators threaten to publish the data they’ve stolen if the ransom isn’t paid. The criminals place copies in a secure place and simply bide their time waiting for payment. They know they have another play if the ransom doesn’t come. Many of the operators have made good on their threats and published the stolen data.
Increasing Numbers of Victims
A Comparitech study this year shows since 2016, 1,442 US healthcare providers have been hit by 172 ransomware attacks. Far more have been struck, but many incidents are never reported. The rewards are so enticing that it keeps bad actors motivated to continue. Resulting costs to healthcare are high. In addition to the ransom, they face lost business, downtime, compromised systems, and damaged reputation. Often companies also hire third parties to assist in analysis and must compensate victims.
The second half of 2019 showed a 75 percent increase in reported ransomware attacks on healthcare facilities, including hospitals, doctor’s offices, and medical facilities.
As an example, earlier this year, University Hospital Centre (CHU) in France experienced a ransomware predicament. Malware brought their systems down to the point they had to run their operations using old-fashioned pen and paper. Staff couldn’t access patient information electronically, causing delays and issues with patient care.
A recent study has shown where hospitals have suffered a ransomware attack, responses to heart attack patients have been delayed 2.7 minutes. This delay has resulted in up to an additional 36 fatalities per 10,000 heart victims per year. So quite literally, ransomware can be devastating in ways even more serious than data leakage.
Ransomware Groups Torturing Banks Too
Along with healthcare, banks and the financial industry have also been prime targets of ransomware operators. This includes bank technology vendors, such as Pitney Bowes, Finastra Cognizant and Diebold Nixdort, all recently struck by ransomware. Ransomware operators perceive these financial organizations have weaker.
Two companies above, Cognizant and Finastra, experienced ransomware attacks while making arrangements for their workforce to work from home due to COVID-19. Finastra has 8,500 customers, which include 90 percent of the world’s largest banks.
Maze Ransomware Group Scolds Bank for Security Gaps
Cognizant and Pitney Bowes were struck Maze ransomware, a particularly calculating ransomware gang. Their special touch is encrypting and stealing data and if ransom isn’t paid, threatening to publish it publicly. They’ve made good on the threat a number of times. Originally unique to the Maze gang, this approach is now adopted by many ransomware groups.
Maze justifies their attacks, saying they are doing good by calling attention to security gaps in the industry. They released a press release in August about an attack on Banco BCR in Costa Rica. They chastised the bank for its failure to disclose the breach to other banks, as required by state regulations. Admirable of them to be mindful of the law. They also boasted about having found that flaws they had previously found were still present.
In their own words, “In the security perimeter was a hole the size of the Channel tunnel. We decided not to block the work of the bank. It was at least incorrect during the world pandemic.”
The release went on to say they had grabbed data from 11 million credit card holders. Data that would be valuable on the dark web. But they declined to do so. They instead wanted to provide the public service announcement that the bank’s security was second rate. Maze also has its own web site where it lists its victims and publishes stolen data. There, they followed up an announcement of the payment card data they had lifted from Banco BCR.
With or without a pandemic, ransomware operators will continue their surge. Organizations ought not to let their guard down for an instant. As they say, never turn your back on the ocean.
Further Resources for Protecting Against Ransomware
Related Virsec Articles
*Cynet Breach Protection Report