Ransomware has been around since 1989, and since then, ransomware attacks have surged in frequency and sophistication, leaving a trail of disrupted operations, financial losses, and damaged reputations. Despite the growing awareness and continued attacks, many companies continue to fall prey to these attacks. Why?

Ransomware has remained the same as far as the attack method of encryption and ransom of the stolen data. Cybercriminals have added the extortion method to ransomware, but it is functionally the same. So, why are companies still behind when it comes to recovering from ransomware attacks? We will dissect the reasons behind corporate downfalls and discuss strategies to bolster defenses.

What Is Ransomware?

Ransomware is a type of malware that locks and encrypts a victim's data, files, devices, or systems, rendering them inaccessible and unusable until the attacker receives a ransom payment. The first iterations of ransomware used only encryption to prevent victims from accessing their files and systems.

A Brief History of Ransomware

1989: The AIDS Trojan (PC Cyborg): The first known ransomware attack occurred in 1989, with the "AIDS Trojan" or "PC Cyborg." Distributed via floppy disks, this malware encrypted file names and demanded users send $189 to a post office box in Panama to regain access.

2000s: Evolution and Growth: Ransomware attacks evolved in the 2000s, with the emergence of more sophisticated encryption methods. The "GPCoder" family of ransomware, first detected in 2005, encrypted various file types and demanded ransom payments through online services.

2013: CryptoLocker: The 2013 CryptoLocker attack marked a significant evolution in ransomware. Using advanced encryption techniques, CryptoLocker spread via email attachments and demanded payments in Bitcoin, making it harder to trace transactions.

2016: Ransomware-as-a-Service (RaaS): The concept of Ransomware-as-a-Service (RaaS) became prevalent in 2016. Platforms like Cerber allowed even non-technical criminals to launch ransomware attacks, with developers taking a cut of the ransom.

2017: WannaCry and NotPetya: The WannaCry ransomware attack in May 2017 affected hundreds of thousands of computers across 150 countries, exploiting a vulnerability in Microsoft Windows. It disrupted operations globally, including the UK’s National Health Service. Shortly after, the NotPetya attack caused widespread damage, initially appearing as ransomware but later identified as a destructive wiper malware.

2020s: Increasing Sophistication: Ransomware attacks have continued to grow in sophistication and frequency. Notable attacks include those on Colonial Pipeline and JBS Foods in 2021, which disrupted critical infrastructure and supply chains. Modern ransomware often employs double extortion tactics, threatening to release sensitive data publicly if the ransom isn't paid.

Anatomy of a Ransomware Attack

Initial Access

Ransomware attacks typically start with the attacker gaining initial access to the victim’s network or system. This may be done through various methods such as phishing emails, exploiting vulnerabilities in software, or using stolen credentials.

Deployment

Once the attacker has gained access, they deploy the ransomware onto the victim’s network or system. This may be done using various methods such as malicious email attachments, drive-by downloads, or exploiting software vulnerabilities.

Encryption

Once the ransomware has been deployed, it begins encrypting the victim’s data, making it inaccessible to the victim. This may involve encrypting individual files or entire systems.

Ransom Note

After encrypting the victim’s data, the attacker typically displays a ransom note, informing the victim that their data has been encrypted and demanding payment in exchange for the decryption key. The ransom note may be displayed on the victim’s screen or delivered via email.

Payment

If the victim chooses to pay the ransom, they typically have to follow a set of instructions provided by the attacker to make the payment, which is usually in cryptocurrency. The attacker then provides the decryption key, allowing the victim to recover their data.

Recovery

Once the victim has received the decryption key, they can begin recovering their data. However, recovery may not always be successful, and some data may be permanently lost.

A Series of Unfortunate Events

Ransomware groups have targeted the healthcare industry recently causing severe network outages and service disruptions. It not only affects the business of companies, but it also affects the care of patients who need treatment and care. There are news articles that discuss the downtime of such attacks that last anywhere from a few weeks to over a month. One such story is Lauire Children’s Hpspital in Chicago, Illinois.

“Doctors and nurses at a premier Chicago children’s hospital can again access patients’ electronic medical records, more than a month after a cyberattack forced Lurie Children’s Hospital to take its networks offline. The hospital provided the update Monday and said its phone system also is fully functioning. Officials had previously blamed the attack on a “known criminal threat actor” and said the hospital shut down its own systems for phone, email and medical records once the breach was discovered on Jan. 31.

The situation at Lurie Children’s Hospital had all the hallmarks of a ransomware attack, although hospital officials have not confirmed or denied the cause. Such extortion-style attacks are popular among ransomware gangs seeking financial gain by locking data, records or other critical information, and then demanding money to release it back to the owner.”

Other examples of Ransomware attacks include but are not limited to:

Change Healthcare:

In late February, the ALPHV/BlackCat ransomware gang claimed responsibility for hacking Change Healthcare. The intruders disrupted operations and exfiltrated up to 4TB of data, including personal information, payment details, insurance records, and other sensitive information. This led to a non-verified ransomware payment of $22 million.

Change Healthcare plays a central role in 15 billion transactions and $1.5 trillion in healthcare claims annually. After the attack, the company had to shut down key operations, and getting systems fully back online has been difficult.

Ascension:

Ascension has provided an update on the cyberattack it detected on May 8, 2024, and has confirmed that it was a ransomware attack that affected operations at its 142 hospitals. No timeline has been provided as to when recovery will be completed, but Ascension said progress is being made restoring systems, and they will be brought back online when it is safe to do so.

Several Ascension hospitals are on divert to ensure that patients can be immediately triaged, electronic medical records are unavailable, the phone system is offline, as are systems used to book tests, procedures, and medications, and elective procedures have been postponed.

Synnovis

A ransomware attack this week on UK healthcare provider Synnovis has forced several London hospitals to cancel services and surgeries or redirect them to other facilities. The incident occurred Monday and has had a significant impact on their ability to deliver patient care, demonstrating once again the ripple effect that modern cyberattacks have on healthcare systems, demanding an immediate security response.

The False Sense of Security

As a Cybersecurity professional involved in healthcare, I know how the false sense of security becomes a common factor. Healthcare industries have to meet certain government regulations such as HIPAA. HIPAA stands for Health Insurance Portability and Accountability Act.

Passed in 1996, HIPAA is a federal law that sets a national standard to protect medical records and other personal health information. According to the U.S. Department of Health and Human Services (HHS), the HIPAA Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information.

Additionally, the Security Rule establishes a national set of security standards for protecting specific health information that is held or transferred in electronic form. The Security Rule operationalizes the Privacy Rule’s protections by addressing the technical and non-technical safeguards that covered entities must put in place to secure individuals’ electronic PHI (e-PHI).

Within HHS, the Office for Civil Rights (OCR) is responsible for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.

The false sense of security comes when companies are meeting the regulations of HIPAA to pass their yearly compliance audits but fail the actual recovery side of the regulations. It’s basically “Lip service”: Support for someone or something that is expressed by someone in words but that is not shown in that person's actions. Allow me to explain.

One of the requirements for HIPAA is to have backups of your infrastructure that retain “Patient Health Information” or “PHI.” “HIPAA requires healthcare organizations to back up patient health data at least once daily and maintain copies at a secure off-site location.

Organizations are also required to maintain documented backup and recovery plans, as well as periodic testing.”

The issue is companies will only test backups to make sure they are valid if a disaster happens. That is all that is needed, and it passes the regulation requirements. Let me ask you a question. If a company passes the requirements and maintains documented backup and recovery plans, as well as periodic testing…why are so many healthcare companies paying a ransom? It’s because healthcare companies do not know where all their PHI is located, and they do not know their acceptable Recovery Point Objective (RPO) or Recovery Time Objective (RTO).

They also do not have proper network monitoring in place to detect when there is a large amount of data being transferred outside the organization. This is something the disaster recovery team and leadership need to discuss, and it’s currently being missed today.

The Truth of it All

What is network monitoring? Network monitoring is used to monitor all activities on a network, and it collects data from bandwidth usage, packet loss, and latency. You can use this data to identify and troubleshoot problems with the network. Network security monitoring (NSM) detects and responds to security threats on a network. The reason network monitoring is so important is because of six Terabytes of data.

“In a statement published on their dark web leak site today, BlackCat said that they allegedly stole 6TB of data from Change Healthcare's network belonging to "thousands of healthcare providers, insurance providers, pharmacies, etc."

Six terabytes of data leaving your network is a large amount for any company. Monitoring your network for data exfiltration is one of the best ways to identify pre-cursors for ransomware. Network monitoring log alerts should be reviewed on an annual basis, or you can set up alerts when a certain bandwidth threshold is reached. Anything over one Terabyte of data would be concerning.

What is a Recovery Point Objective (RPO)? A recovery point objective (RPO) is defined as the maximum amount of data – as measured by time – that can be lost after a recovery from a disaster, failure, or comparable event before data loss exceeds what is acceptable to an organization.

What is the Recovery Time Objective (RTO)? The Recovery Time Objective is the maximum acceptable amount of time for restoring a network or application and regaining access to data after an unplanned disruption. Loss of revenue and the extent to which a disrupted process impacts business continuity can both have an impact on RTO.

Why is it important to know what RPO and RTO are? It’s vital to the business continuity plan and disaster recovery plan. Just because a company has backups that test fine, they do not test how long it takes to recover and how much data loss a company can tolerate before losing business. It is the very reason why so many companies are down for so long and patients are turned away.

Regulations like HIPPA need to require hospitals to know their RPO and RTO to meet audit compliance.

If this becomes a standard, companies will have to invest time and money into their business continuity plan. Let’s be honest, it should be their top priority because ransomware is going to happen.

Cybercriminals have a better disaster recovery plan than most businesses today have. When the FBI seized LockBit’s website, LockBit was operational again in five days.

“On February 19, authorities took down LockBit’s infrastructure, which included 34 servers hosting the data leak website and its mirrors, data stolen from the victims, cryptocurrency addresses, decryption keys, and the affiliate panel. Five days later, LockBit is back and provides details about the breach and how they’re going to run the business to make their infrastructure more difficult to hack.”

Let’s put it in perspective. Whenever you go on a cruise, the first item on the list is the “Muster drill.” The muster drill is where you prepare to abandon your ship if a disaster happens. It is a standard on every ship, and it is invested in every time you take a cruise because if a disaster happens, you have to be ready.

Hospitals should not have to rely on insurance to bail them out if their data is stolen. Insurance companies need to help companies fill the gap if a breach happens.

An example would be if a company has ransomware and their backup system or infrastructure needs improvement, invest the ransom money in the company. The money used to keep stolen data from going public is a waste of time anyway. There is no honor among thieves, and cybercriminals will just take your money. If insurance companies invest the money in the company, you will get a better return.

Healthcare needs to adopt a “Wartime mindset” because every day they are at war with cybercriminals. Cybercriminals are ruining businesses and patients’ lives. It’s up to healthcare to build stronger defenses against ransomware and data theft.