By: David Geller, CPCU, SCLA
Reports are continuing to surface that the acceleration of activities that shifted online in response to the COVID-19 outbreak is amplifying risks in the cyberspace. This post will focus on two types of targets that were reportedly popular for bad actors even before the pandemic: Schools and hospitals.
As noted on our Ransomware topic page, cyber attacks on schools proliferated in 2019, contributing to hefty ransom payments, as well as school closures. With many schools moving online in Fall 2020 in response to the pandemic, the threat vectors have only appeared to increase.
Recently, the Wall Street Journal reported on a relatively novel ransomware attack. Until this year, ransomware attacks reportedly involved the infiltrating of computer systems or networks and use of tools like encryption to deny access or hold data hostage until the victim pays a ransom. However, a new aspect of ransomware is being deployed, such as in this recent case: instead of simply locking users out of the computers, a hacker, per the WSJ, had also stolen sensitive personal information logged by the Clark County School District in Las Vegas. The stolen school data reportedly contained private information pertaining to about 320,000 students and was subsequently published online. According to the article, the hacker released this information after the officials declined to acquiesce to the hacker’s demands.
This breach, which went a step beyond merely holding information hostage for ransom, is an example of “data exfiltration,” a concept we posted about back in August. An analysis recently conducted by Coveware indicated that this type of attack was executed more frequently in the first quarter of 2020.Please
A separate Wall Street Journal article has also reported on the current environment involving ransomware attacks on medical facilities. Per the article, “[h]ackers are increasingly targeting health-care institutions and threatening people’s well-being as their software attacks get more sophisticated and brazen.”
In general, it appears that ransomware attacks are growing more frequent. The article cites a finding from a cybersecurity company that these breaches happened twice as much in September 2020 than in September 2019.
With respect to ransomware and medical facilities, Wired has reported that Universal Health Services, a hospital and health care network that has more than 400 facilities in the U.S., Puerto Rico and the U.K., was forced to move to all-paper systems after a ransomware attack. Wired also notes that the first fatality linked to the fallout from a ransomware attack may have recently occurred in Germany, when a patient with a life-threatening condition was forced to divert to a distant hospital due to the hack.
Should Hacked Companies Pay?
There appear to be many variables to weigh for hacked companies to consider when determining whether to comply with the demands of a hacker(s). Refusal to remit payment could lead to the same scenario that the Clark County School District faced, in which significant private information was leaked as retaliation for not paying. Additionally, it may be more costly to not comply. Back in 2019, we posted about how the city of Baltimore declined to submit to a $51,000 demand, and ended up accruing $18 million of charges to get back online.
Conversely, with respect to the cons of making the payment, paying off the criminals could perpetuate more attacks, and also seed them money for more tools and more research to improve their methods.
The Hill has reported on a pair of advisories released by the Treasury Department that point to the dangers of remitting payment to bad actors. Additionally, compliance with those demands could open the companies up to some additional exposure. The advisory issued by the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) states, in part, the following:
Demand for ransomware payments has increased during the COVID-19 pandemic as cyber actors target online systems that U.S. persons rely on to continue conducting business. Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.
Moving Forward: Ransomware Threats Do Not Appear Likely to Fade
In addition to schools and hospitals, another cyber breach has also caused some concern for the upcoming U.S. elections. The New York Times has reported that a company that sells software for cities and states to use to display results on election night was inflicted with a ransomware attack. The Times notes that this is one of roughly a thousand attacks on towns, cities, and contractors that are involved in voting systems.
Additionally, hackers may be teaming up to make attacks more effective. For example, the WSJ has reported that some criminals have “formed professionalized groups… sharing technical know-how and making ransomware available to a greater number of hackers, sometimes selling malware as an off-the-shelf product that is ready to deploy.” This may tie into a concept we posted about back in 2019 called “ransomware-as-a-service.”