Ransomware – The New (Too-High) Cost of Doing Business
Gemini Advisory has released a paper that makes the point that in 2020, it may be best to view ransomware incident costs as part of the cost of doing business. And with more people working from home these days, there is an increased risk of security incidents, as threat actors may be able to relatively easily compromise employees’ devices and thereby gain credentials to access corporate computers or systems. One recent study reports that two-thirds of Indian entities had suffered a data breach related to remote working.
For those who haven’t really paid enough attention to ransomware’s evolution, Gemini Advisory’s paper will give you a nice recap of the past few years and some real-world examples. It is not oriented to naming and describing all the various types of ransomware being deployed these days, but the paper’s main point is consistent with something I first heard from lawyers a few years ago — that although law enforcement has tried to dissuade victims from paying ransom, eventually it all boils down to a determination of how much business an entity will lose and whether the cost of lost business is higher than the cost of paying the ransom. And in calculating costs, we need to include the cost of lost life or health when the victim is a health care entity.
As Gemini’s article documents, the health care sector was like low-hanging fruit for attackers. Because so many individuals needed access to networks with sensitive patient medical records and financial records, it was easier for threat actors to gain access — either by Remote Desktop Protocol being left enabled and with weak passwords or passwords that can be easily brute-forced, or by phishing attacks on employees (as just two of a variety of methods). When the pandemic began, we saw a number of attacks where entities used COVID-19 themes to get victims to click on links. In some cases, attackers posed as organizations such as the World Health Organization to make victims more likely to respond. But as has always been the case, there are also threat actors who just buy access to victim’s networks and it’s easy to find such offerings for sale on well-known Russian-language sites. Once in, sophisticated threat actors may spend days or weeks in reconnaissance and gaining access to more computers or systems before any ransomware is actually deployed. Their presence in the network often goes undetected because they use the same tools that are already on the system so it’s not like a new tool or program suddenly triggers any alarm or alert.
The threats to the healthcare sector have never been exaggerated. They are real, and Gemini Advisory’s paper reminds us of some of the risks or horrible outcomes if entities lose access to patient records or control of devices and equipment needed for surgery.
And no, never expect criminals to do the right or ethical thing. Earlier in the pandemic, Maze Team issued a press release saying that they would lay off medical entities during the pandemic. Days later, they revealed that they were still in the process of trying to get a medical research facility in England to pay a ransom — even though they offered them a discount if the facility’s research found a vaccine or cure for COVID-19.
As Gemini Advisory notes in their paper, ongoing attacks on medically related entities stimulated a discussion on a top Russian-language forum where many of these ransomware threat actors post and recruit. The discussion concerned the morality of attacking medical facilities during the pandemic — but some of the discussion was more pragmatic — that such attacks would bring law enforcement down like a ton of bricks on ransomware threat actors.
Even then, and while some threat groups did state that they would not attack medical, some of the most active groups remained silent publicly while they continued their attacks on hospitals or healthcare systems, like the Ryuk and Dharma threat actors. Netwalker threat actors remained publicly quiet, but their list of victims continues to include facilities that provide health services, even if they are not big hospitals or systems.
By early April, INTERPOL had noted the increased attempts on hospitals.
For their part, CLOP threat actors pledged early into the pandemic:
We have never attacked hospitals, orphanages, nursing homes, charitable foundations, and we will not.
Commercial pharmaceutical organizations are not eligible for this list;
they are the only ones who benefit from the current pandemic.
If an attack mistakenly occurs on one of the foregoing organizations, we will provide the decryptor for free, apologize and help fix the vulnerabilities.
Going up, up, up!
As Gemini Advisory notes, ransom demands have increased dramatically over the last few years. And while it is somewhat positive that more entities now seem to have some cyberinsurance coverage that can help with the costs of recovery and ransom demands, the demands are so exorbitant that most entities will not have policies that can pay the full amount. Importantly, insurers seem to be much more cooperative in the past year or so when it comes to agreeing to client’s requests to pay ransom demands. Their prompt cooperation is especially important when you realize that attackers generally only give victims a few days to respond or start and complete negotiations. Delays or stalling may often lead the threat actors to dump data publicly to increase pressure on the victim or to embarrass them, or to raise the ransom demand. In what is the largest penalty of that kind that I can recall offhand, the Sodinokibi (REvil) threat actors doubled their $21 million ransom demand on a law firm that specializes in celebrities to $42 million. When no ransom was still forthcoming, they began auctioning off the law firm’s clients’ files — or trying to.
But in 2020, entities have the increased cost of more insurance and the increased incident response costs that may involve buying new hardware, bringing in forensic experts that may cost them more than $100,000, and the usual costs of incident response which already were estimated at hundreds of dollars per record. All that said, the latest report from IBM indicates that the cost of government data breaches (not confined to just ransomware attacks) decreased 16% for those who had invested in incident response planning.
The costs to health care facilities is mirrored in a smaller way in the education sector, where I am seeing small public k-12 districts get attacked with ransomware. Again, they may have some insurance to help, but generally not enough, as I pointed out in my reporting on the Sheldon ISD attack in Texas.
But perhaps one of the biggest concerns I have these days is the development of what seem to be ransomware cartels. Maze Team collaborated with other threat groups in a few attacks. How that came about and whether it was successful enough financially for both parties to pursue further collaborations remains to be seen. If the threat actors are ever caught and prosecuted, it would seem that they could also be facing RICO ( Racketeer Influenced and Corrupt Organizations) charges that would put them away for even longer. But of course, first they have to be caught, and so far, most of these groups appear to be still standing, even though European law enforcement was able to catch and prevent one group of threat actors.
The other related concerning development is the expansion of the ransomware-as-a-service (RAAS) model that allows novice hackers or wannabe hackers to use an advanced threat actor’s tools and administration panel for a percentage of the ransom. As Gemini Advisory point out in their article, will these threat actors be as responsible in terms of providing decryption keys, deleting data, and not double-dipping? It would behoove the established threat actors to be exceedingly careful who they accept as partners or customers, lest their own reputation wind up tarnished and potential victims no longer believing that they will be able to recover data if they just pay up.