Ransomware – Enough is Enough!
I’m pissed, and you should be too. My father recently called to inform me of the surgery he was scheduled for the next day had to be postponed due to ransomware. I’ve devoted the last twenty years of my life to InfoSec and was left feeling helpless. And trust me, every possible thought crossed my mind – including retribution. Where is the recourse? Who is accountable?
Couple this with recent news of the first reported death from ransomware. The truth is, albeit disturbing and quite tragic, neither of these incidences is shocking. It is a stark reminder that ransomware is more serious than we’d like to think and is becoming all too often the new norm.
Universal Health Services and the Duesseldorf University Hospital are only two recent examples in a string of unfortunate healthcare industry cases.
- Last month, Valley Health Systems joined the ranks of the misfortunate who have fallen prey to attacks.
- In April, the MedStar Health chain based in the Baltimore and Washington area was attacked with Samsam ransomware (or Samas) that encrypted sensitive data at their hospitals.
- Last October, three hospitals in Alabama were forced to turn away non-critical patients after a ransomware attack.
- Many more hospitals have been infected by ransomware, including Methodist Hospital in Henderson and Kentucky, Desert Valley Hospital in California and Chino Valley Medical Center, to name a few.
Like me, many of you have been in the security business for most of your adult lives. We share a passion for detecting, remediating and avoiding security breaches. Our livelihoods depend on it, and we take it seriously. Unfortunately, although I’ve been on both the practitioner and vendor side of the industry, I know there is no panacea to avoid a breach or stop ransomware attacks. “Dave, you work for a security company, how is this possible?” I’ve worked for several companies, all of whom advertise their unique ability to stop ransomware. But do any of them stop them all?
Look no further than this year’s Verizon Data Breach Investigations Report (DBIR), and you’ll note the simplicity of many of the incidents, beyond just ransomware, are resulting in breaches. Misconfiguration and passwords remain a significant cause, while web services and vulnerabilities go unabated and are avoidable. With healthcare, much like critical infrastructure, we aren’t just talking about company liability, which goes unmeasured as we lack any real detail into what these companies do to limit attacks and prevent breaches. As much as I’d like to see the companies held to greater accountability, the problem extends well beyond them.
Why? Because Cybercrime is an extremely lucrative industry. CrowdStrike estimates the Ryuk group, suspected of the UHS attack, generated over $4M as of Jan 2019. Cybercriminals are more organized than they were in the past. They are highly skilled and sophisticated and operate as collective organizations. They conduct ransomware attacks as part of an ongoing criminal enterprise. They reinvest their gains to develop more powerful malware and infrastructure, making attacks harder to defend against and them more challenging to catch.
And it isn’t just for profit. Nation-states are behind a rash of these attacks, or at least producing the weaponized payloads. One very troubling example of cybercriminal sophistication for hospitals is hackers specifically targeting medical devices. The F.B.I. considered WannaCry (attributed to the North Korean Army) the first ransomware attack to widely target vulnerabilities commonly found in medical devices, infected 1,200 diagnostic devices. In addition to shutting down one-third of the U.K.’s National Health Service (N.H.S.), resulting in the cancellation of more than 19,000 appointments and reported to cost $112M, WannaCry proved not to be an isolated incident. The Russian military is thought to be responsible for having developed NotPetya ransomware, which has been attributed to several health system attacks and was developed without the ability to be decrypted. The SamSam actors, well known for ransomware attacks against healthcare and critical infrastructure based on RDP exploits, have been linked to Iran. Holy shit, Batman!
SO WHAT CAN WE DO?
Consider the size, scale and scope of this problem. The shorthanded security staffs are only one of the many challenges plaguing hospitals. And their efforts alone won’t be enough to curtail the geopolitical forces leading to the many attacks on them. The cyber risk to the health care sector and critical infrastructure is intertwined with the geopolitical climate. As such, the effort to protect hospitals and citizens alike must extend beyond the resources of any one institution and include all law enforcement, legislative, military and intelligence assets in their aid.
A more coordinated federal response is appropriate because ransomware has evolved from an economic crime to one that jeopardizes public health and safety. I’m not melodramatic when I say ransomware attacks that cause hospitals to suspend patient care operations are akin to a wartime act. Military intelligence spends time identifying and annotating hospitals or care facilities on maps to ensure we adhered to international laws that govern combat operations under the Geneva Convention. Like military attacks on hospitals, cyber-attacks on hospitals should be a violation of all internationally accepted norms.
But there is one major disconnect, laws typically used to prosecute cybercrimes are not commensurate with the level of harm cyber-attacks cause. For example, the United States Code (U.S.C.) Title 18 §1030 is the Computer Fraud and Abuse statute used to prosecute hacking activity and other crimes related to computers. Specifically, 18 U.S.C. §1030(a)(7), Extortionate Threats, details the crime that includes ransomware attacks and addresses impacts to impairing medical examinations and providing care. It carries a minimum sentence of 5 years in prison (not more than 10 for consecutive offenses). But wait, it does entitle victims to pursue recourse in civil court (said dripping with sarcasm). The reality, given these sentencing guidelines, sentences remain minimal and barely a deterrent for an international ransomware gang with a low probability of being detained and reaping millions of dollars in illegal profits.
DO WE NEED MORE LAWS?
No! We do not need more laws to deter cybercriminals. What we require is better coordination at the federal level and increased use of the laws and law enforcement tools already available. U.S. response to attacks against health care and critical infrastructure needs to expand beyond a heavy reliance on U.S.C. Title 18 for criminal investigation and prosecution. This was the Department of Homeland Security’s intent back on April 8th when they pledged to go after ransomware groups who disrupt healthcare operations during COVID-19 with the full force of the U.S. federal government. Therefore, we need to combine or replace current approaches with alternate prosecution strategies that include other federal statutes pertaining to extortion, homicide and even terrorism. The inclusion of other regulations results in far more severe penalties consistent with the blatant disregard of life.
A review of Title 18 indicates heavy favoritism toward financial institutions and government computer systems. It’s obvious the codes were written at the height of financial crime. The good news is there are additional authorities provided under other U.S.C. Titles, specifically 10, 31 and 50, which expand beyond domestic organizations and include those of the U.S. Cyber Command, National Security Agency, Central Intelligence Agency, etc. Combining these resources will achieve a more effective result and may best deter and disrupt adversaries.
There is precedent for this. The Treasury Department, through the Office of Foreign Asset Control (OFAC), levied sanctions against cybercriminals Evil Corp for their role in creating Dridex to steal banking credentials (see Brian Krebs article) and Lazarus Group for their role in numerous attacks, including WannaCry.
Sidenote: Although there are several examples of looking the other way, it can be illegal to pay a ransom to any group that has been sanctioned by OFAC. For example, an indictment filed by the Southern District of New York in December 2016 charged the operator of Coin.mx with complicity in unlawful activity, violating federal money laundering laws for their assistance in helping a victim exchange dollar for bitcoins to pay a ransom. I can’t make this up!
Ransomware and other cyber-attacks on the health care sector have become pervasive. The crime has evolved from being financially motivated to an act that is a threat to life, endangering public health. The tactics, techniques and procedures we implore must change too. I applaud the efforts of the Healthcare-Information Sharing and Analysis Center and Health and Human Services sponsored Health Care Industry Cyber Security Task Force but more needs to be done. It’s time to be proactive and go on the offensive. The appropriate way to deter and disrupt adversaries threatening our health care infrastructure and citizens is to leverage the entirety of the federal government’s law enforcement and intelligence capabilities to precipitate change and enhance consequences against these attackers.
 Treasury Sanctions North Korean State Sponsored Malicious Cyber Groups https://home.treasury.gov/news/press-releases/sm774