How Criminals Extort Healthcare Victims With RansomwareVictims Urged to Prepare Rather Than Pay, Especially for False Data-Wiping Promises
Ransomware operations have become expert at finding ways to make a victim pay, and healthcare organizations are no exception. But experts say there are multiple steps healthcare sector entities in particular can take to better protect themselves and ensure that in the event of an attack, they can quickly restore systems and never have to consider paying a ransom.
Are healthcare organizations more or less likely to pay a ransom, compared to other sectors? Bill Siegel, co-founder and CEO of ransomware incident response firm Coveware, says "it's substantially the same calculus" for healthcare as with any other type of business or organization that falls victim. "The only thing that matters is: How can the organization recover its operations to minimize the risk of any sort of grave patient outcomes?" he says.
Deciding whether or not to pay "really depends on the situation and how well prepared a healthcare organization is - whether they have backups, if the network is segmented, whether the primary activities have been impacted and, most importantly, if human lives are not at stake," says John Fokker, head of threat intelligence for the Advanced Research Center at Trellix. "I would say if the impacted organization had to answer those questions with 'no,' then there is a higher chance that they are forced to pay the ransom."
But many organizations that have working backups still pay a ransom, according to a survey of 318 healthcare organizations across 31 countries conducted early this year by research agency Vanson Bourne for Sophos. Of ransomware victims that reported getting data back, 72% relied on backups, while 61% reported paying a ransom. "These numbers reflect the fact that many healthcare organizations use multiple restoration approaches to maximize the speed and efficacy with which they can get back up and running," Sophos reports.
Compared to other sectors, healthcare victims also appear to be the most likely to pay a ransom, "with 61% of respondents whose data was encrypted admitting to paying the ransom compared to the cross-sector average of 46%," Sophos reports. "This number is also almost double than the 34% who paid the ransom in 2020."
Paying to Decrypt
The first line of extortion for criminals has long been to demand a ransom in return for a decryptor. While this strategy was a good moneymaker from the mid-2010s onward, those profits started to flag around 2018. At that point, led by ransomware gang Maze, groups began using double extortion, which means to steal data before crypto-locking files and folders and demand a ransom to not leak the stolen data. Since then, some groups have fielded variations on that strategy, such as demanding a separate ransom for a promise that stolen data won't get leaked, sold or given to anyone else.
Deciding whether or not to pay is a business decision, so long as the attackers haven't been sanctioned by the U.S. Department of the Treasury. But experts urge victims to avoid doing so, whenever possible.
"When it comes to paying ransoms, our standard advice is 'don't,'" Lindy Cameron, president of Britain's National Cyber Security Center, told a Scottish cybersecurity conference in October. The NCSC is the public-facing arm of Britain's security, intelligence and cyber agency, GCHQ.
In a new report, the NCSC warns that ransomware remains the top cyberthreat facing Britain - and in particular, its hospitals and schools. The NCSC also says it expects such attacks to surge in the coming months.
While there is generally no prohibition against paying a ransom, Cameron said the act of making the payment is like standing on a street corner and handing over a bag of cash to a known criminal. "You should feel pretty uncomfortable," she said. "On the other hand, we do recognize that it's really important to not revictimize victims. … But we want to get to a place where a cybercriminal believes that making such payments happens very rarely."
Sometimes, however, victims are left with no other good options. "There's a real cost in recovery, and if your backups were hit and so on, you may not have any choice but to pay," says Allan Liska, a principal intelligence analyst at Recorded Future.
When that happens, especially in the healthcare sector, multiple myths need to be dispelled for victims, according to Coveware's Siegel. Largely, these center on the logistics of restoring petabytes of data from backups, which is a time-intensive exercise for which there is no workaround.
"The vast majority of the time paying a ransom and getting a decryption tool key is actually much slower than restoring from their backups," Siegel says. But he says hospital administrators oftentimes can't believe how long even restoring from available backups will take. "We just have to kind of show them the raw, unfortunate math - that that is the fastest way, there is no other faster way, and paying a ransom isn't going to fix that."
Ransomware victims who don't pay should expect that attackers won't go quietly, as seen in Karakurt's attack against Texas-based Methodist McKinney Hospital earlier this year, which included the theft of patient data. When the hospital didn't pay, the group issued a series of increasingly vitriolic statements about the organization.
This isn't unusual. Having already done the heavy lifting by penetrating the network and unleashing ransomware, attackers are likely to keep trying to publicly name and shame victims, leak stolen data or attempt to plant news stories based on the stolen data, use third-party call centers to phone victims, and demand a ransom or phone the victim's customers directly and tell them their personal details have been stolen - all to try and increase the pressure to pay.
Never Pay for a Promise to Delete Data
Ransomware experts continue to urge organizations to never pay a ransom in return for a promise from attackers to delete stolen data. This includes paying for a promise that any data attackers stole will be deleted.
Siegel says paying for guarantees that stolen data will be deleted is for suckers. He says victims have to understand that "the moment that data left their firewall, that it was gone. They failed to protect it and it got stolen. Paying a ransom doesn't fix that or ameliorate that. Frankly, it can exacerbate the problem. So, there's really no reason to pay in those situations, because the data is out there. … You can't put the toothpaste back in the tube."
In many cases, Siegel says, gangs that have promised to delete data have turned around and sold it or used it to attempt to re-extort the same victims.
"You can't audit that threat actors deleted the data. You can't look in every corner of every cybercriminal forum to see if the information is being sold or shopped anyway," he says. "There's no way to tell if the threat actor is going to come back and re-extort the organization later on, and in a lot of cases we see, that ends up happening."
Siegel's perspective isn't an outlier.
"They're not going to delete your data. I mean, just flat out, they're going to pretend to delete your data," Liska says. "They're going to make a copy of it and then secure-delete it in front of you and make a big show of deleting the copy or even deleting the original and keeping the copy. But they're not actually going to delete your data. We've seen that time and time and time again."
Unfortunately, the practice of organizations paying attackers for a promise to delete stolen data is apparently common. In July, Britain's Information Commissioner's Office and the NCSC issued a joint letter to solicitors in England and Wales warning that paying criminals for a promise to not leak or sell stolen data will lead to no reduction in any fine the ICO might issue in the wake of a breach investigation - or spot inspection - that uncovers poor cybersecurity practices (see: Don't Pay Ransoms, UK Government and Privacy Watchdog Urge).
Over 5,000 health data breaches since 2009 have affected the personal information of 370 million people. Ransomware gangs and hackers are targeting healthcare providers, insurance firms and partners at an alarming rate. Targeting Healthcare explores these trends and how the industry can respond.