This is the first in a series of articles about the rise of ransomware in the healthcare industry. This first part deals with how and why ransomware has become so prevalent. The second part explains the reasons why ransomware attacks are so prevalent in the healthcare industry, in particular. The third part discusses some of the latest trends in healthcare ransomware and what HIPAA covered entities and business associates can do to help protect themselves and reduce their risk.
By many accounts, ransomware has been around since the 1989 AIDS Trojan which was delivered on floppy disks by mail to approximately 20,000 individuals, mostly attendees of a World Health Organization (WHO) international AIDS conference, by Harvard biologist Joseph Popp. The ransomware, disguised as a helpful AIDS informational survey, demanded payment of $189 to “PC Cyborg Corporation” at a post office box in Panama. The ransomware software was quite primitive by today’s standards and, although many ransom payments were sent, researchers were eventually able to extract the decryption key from the software’s code to decrypt data without paying the ransom. The payment method was also very primitive and Joseph Popp was soon apprehended and prosecuted for blackmail.
Very few other significant ransomware attacks were carried out for nearly 20 years. Lack of sophisticated ransomware software was one reason for this, but one of the biggest obstacles was the lack of a safe way for an attacker to collect a ransom payment without being identified and apprehended by law enforcement. The advancement that would overcome this obstacle was decentralized blockchain technology introduced in 2008 in the form of the first cryptocurrency, Bitcoin.
The implications of this technology were immense and multi-faceted:
- Because Bitcoin is decentralized across a vast collaborative and independent network of computers around the world, no government, regulatory agency, banking system, or law enforcement agency can feasibly exert control over it. Transactions cannot be blocked or reversed and accounts cannot be seized or frozen like traditional bank accounts or physical currency can be. This guarantees attackers full control over their assets as long as they protect the cryptographic keys to their accounts.
- Bitcoin is not constrained by any geographic or political borders. Value can be quickly and securely transferred between two parties anywhere in the world with access to the internet. This allows attackers to easily demand ransoms from victims on the other side of the world as easily as from ones across the street.
- Although the complete ledger of Bitcoin accounts and transactions is fully open to the public, there is no link between accounts and their owners unless the owners reveal that link, either intentionally or accidentally. This allows attackers to remain completely anonymous and avoid apprehension. The only exception is when attackers wish to exchange Bitcoin for something more tangible such as fiat currency (USD, EUR, etc.) or goods, but there are many options available for laundering Bitcoin.
It did not take long for Bitcoin to facilitate a revival of ransomware attacks with one of the most notable examples being the CryptoLocker ransomware variant which collected an estimated $27M USD in Bitcoin ransom payments from victims in just a two month period in late 2013. The next hurdle to overcome was one of scale. The ransomware “industry,” at this point was still quite fragmented and disorganized. Success was dependent on robust and reliable software and advanced hacking skills. Not all cybercriminals possess a high level of skill in both of these areas.
Talented hackers without strong software development skills sometimes failed to successfully decrypt the data of victims following a ransom payment. This resulted in future ransomware victims across the world losing confidence that paying a ransom would allow them to successfully retrieve their lost data and caused increased reluctance to pay ransoms.
Talented ransomware software developers with skills in encryption and Bitcoin transaction processing were sometimes limited by their relatively inferior hacking skills. The best ransomware software in the world is useless if the developers aren’t able to infiltrate the systems of victims and deploy it. The solution to this scaling problem was cooperation, division of labor, and specialization via RaaS (Ransomware as a Service).
RaaS allowed some criminals to specialize on the software development side and profit from it immensely without needing top notch hacking skills, without the sometimes substantial time investment to infiltrate systems, and without exposing themselves to the risks of having their hacking attempts detected and traced back to them by law enforcement. Similarly, RaaS allowed talented hackers to focus on their strong skills of penetrating cybersecurity defenses and evading detection without having to waste time on software development and testing and without having to worry about software failures. Depending on the specific arrangement, RaaS software developers could take a 30% cut of all ransomware payments (all handled automatically by their software) from their hacker “affiliates” without having to personally perform any hacking while the the individual hackers (or hacking organizations) could devote all of their time on penetrating systems and still receive a large portion (70%) of the ransoms without having to spend any time on the software side. Some of the major past and present RaaS players have been GandCrab, Maze, Ryuk, REvil/Sodinokibi, and Phobos.
This arrangement has taken ransomware to the next level and resulted in record ransomware payment collections due to the enhanced efficiency of operations (allowing more victims to be targeted) and the enhanced reliability (>95%) of software (resulting in more victims being willing to pay ransoms). Estimates vary, but total ransomware payments are believed to be more than $1B per year and rising. Coveware reports that the average ransom payment in Q1 2020 was up 33% from the previous quarter to $111,605 and the average downtime caused was 15 days. Note that the average ransom payment is typically a very small percentage of the total cost of a ransomware attack when one includes legal expenses, forensic investigations, regulatory fines/penalties, downtime and business interruption, not to mention reputational damage.
Ransomware has now evolved into the greatest cyber threat to many companies today. The next article in this series will discuss why the healthcare industry, in particular, has consistently been the most heavily targeted and has suffered the most extensive losses as a result.