Emergency Health Services and Cybercrime

When it comes to ransomware attacks, nothing is sacred.

By Stephen Mill

As the Pandemic continues, international ransomware attacks are having devastating effects on computer networks. Cyber criminals have professionalized their shadow industry, employing whole teams with staggering amounts of organization. Files are being stolen, networks encrypted, and companies extorted for millions of dollars. The affronts to international emergency health services are especially troubling.

Ransomware often works through infected e-mail links or stolen Remote Desktop Protocol (RDP) credentials. RDP allows users to control a remote computer over an internet connection, a useful function with a host of security issues. Ransomware spreads laterally until the hackers gain admin capability. They then steal information and shut down computer systems until a ransom is paid. The victims are sent a cryptocurrency wallet address where they are to deposit the spoils of digital racketeering. If the ransom is not paid, the information is sold or published.

Certain cybercrime groups had previously promised, when attacking local government, to avoid nursing homes, healthcare organizations and 911 services. DoppelPaymer ransomware even promised free decryption services for healthcare organizations. Ransomware group Darkside takes it a step further, adding to the digital Robin Hood narrative with claims that a portion of their ill-gotten wealth goes to charity. Hackers are romanticized as agents of social change, fighting back against corporations that would exploit labor and hoard resources. Promises from these groups are criticized as self-preservation tactics; ways to avoid military and government intervention. Decentralized hacking organizations may not be able to account for lone actors or incorrectly identifying a target organization.

Many cybercrime gangs obviously do not adhere to this code of conduct. A recent release from the FBI’s cyber-crime division details over 400 international organizations victimized by a group called Conti. 16 of the attacks were specifically targeting US healthcare and first responder networks.

Russian cybersecurity firm Kaspersky estimates that Conti is responsible for 13% of all ransomware attacks from late 2019 through 2020. It is listed as No.2 on their list of top ransomware groups. Conti is believed to be the successor of the Ryuk Group, who’s ransomware technology is said to belong to the Wizard Spider Russian Cybercrime Gang.

One such example, attributed to Conti’s predecessor Ryuk, (often identified in their ransom notes, or with the .RYK extension on the files.) occurred in October of last year. Universal Healthcare Services (UHS), a Fortune 500 company, was reduced to a manual operation after a crippling cyberattack. Employees took to social media and spoke of losing access to all computer-based technologies including EKGs and PACs. Universal Healthcare Services was probably targeted to exploit their responsibility to millions of patients.

The incidents are not just an American issue. On Dec 20,2019 Ryuk compromised Saskatchewan, Canada’s eHealth system, affecting 50 million files. Approximately 5.5 million of those files contained sensitive personal health information. Saskatchewan’s decrypted data was extracted on Jan 21st and were sent to IP addresses in Germany and the Netherlands. The attacks are often indiscriminate and international. In May 2021, Ireland’s health services were hit by Conti Group. This forced Ireland’s Health Service Executive to shut down the IT systems as a precaution, locking many hospitals out of their computers. Most non-urgent appointments were cancelled, and employees were unable to access patient records. This disrupted Ireland’s COVID testing. Ireland has reached out to Interpol for help finding the culprits.

What can we do about cybersecurity? How can we protect our organization from cybercriminals? The FBI briefing outlines mitigation techniques.

-Regularly backup data and password protect backup copies.

-Put into place provisions that remove modification capabilities in the computer where the information is stored.

-Divide your network into segments so that a fraction of the info can be accessed by certain actors. Install updates and patches to software and firmware as soon as they are released and use multifactor authentication.

Organizations must put in fail-safes, continuously upgrade their networks, and train employees in network security to combat this evolving threat. Targeted organizations should reach out to their nearest FBI field office. Something as simple as clicking a link could be catastrophic for a company. Stay safe and good luck.