“Ransomware is quickly becoming a national emergency,” Cybersecurity and Infrastructure Security Agency (CISA) Acting Director Brandon Wales testifies in a Senate hearing on cybersecurity threats amid the coronavirus pandemic.
Testifying before a subcommittee of the Senate Homeland Security and Governmental Affairs Committee on Wednesday, CISA Acting Director Wales and other expert witnesses warned that ransomware attacks coming from foreign adversaries and other bad actors pose an immediate threat to healthcare facilities and the lives of patients.
Cybercriminals use ransomware to gain access to an organization’s network and hold it for ransom while denying the owners access under the threat of publishing or deleting the stolen data.
According to a CISA report, “Ransomware incidents can severely impact business processes and leave organizations without the data they need to operate and deliver mission-critical services.”
These types of attacks can wreak havoc on healthcare delivery systems, deny access to medical records, and even affect medical devices that patients’ lives depend upon.
According to testimony by CISA Acting Director Wales, “Ransomware has rapidly emerged as the most visible cybersecurity risk playing out across our nation’s networks” during the pandemic.
“Ransomware is quickly becoming a national emergency […] We must disrupt the ransomware business model, and we must take the fight to the criminals” — Brandon Wales
“Since the pandemic’s earliest days, we have seen malicious cyber actors targeting vaccine research and development, exploiting the dramatic expansion of remote work, and using COVID to advance criminal schemes,” Wales testified.
“Ransomware is quickly becoming a national emergency,” he added.
“We are doing what we can to raise awareness, share best practices, and assist victims, but approving defenses will only go so far.
“We must disrupt the ransomware business model, and we must take the fight to the criminals.”
“As a general rule, we have recommended against paying ransom, in part because it furthers the business model” — Brandon Wales
In order to not feed the ransomware business model, Wales recommended that organizations don’t pay the ransom.
“As a general rule, we have recommended against paying ransom, in part because it furthers the business model.”
“Ransomware is not going away as long as the business model is viable — as long as ransomware operators can do it,” he added.
And the ransomware business model is a lucrative one, with a profit margin of up to 99% that only requires 12 hours of labor, according to testimony from Bill Siegel, CEO at cyber incident response firm Coveware.
“The current profit margins of the cyber extortion industry is THE FUNDAMENTAL problem we need to address” — Bill Siegel
Enterprises paid out an average of $178,254 to ransomware criminals in Q2 of 2020, up 60 percent from the previous quarter, according to a report by Coveware.
“The current profit margins of the cyber extortion industry is THE FUNDAMENTAL problem we need to address,” Siegel testified.
Applying some arithmetic to the ~$180,000 average ransomware payment, Siegel submitted that when you deduct the average cost of about $350 that a cybercriminal invests up-front per job, they can rake-in anywhere from $44,150 and $177,650, taking into account whether they are successful just 25 percent of the time versus every time, among other variables.
“The threat actors profit margin is over 99% (this is before cashout, which may reduce total proceeds through the laundering process),” Siegel calculated in his written testimony.
“The threat actors profit margin is over 99%” — Bill Siegel
“They probably invested a grand total of 12 hours in the attack across all phases. They have also taken virtually NO risk.
“All activity was conducted remotely over the internet and via proxies. The extortion negotiation was done over encrypted email or TOR chat service that is untraceable. The proceeds of the extortion are in cryptocurrency and may be moved anonymously through well established cash out channels,” he added.
That’s quite the financial incentive for just one day of work.
The most common way that both state and non-state actors gain access to hospitals is by phishing employees, according to John Riggi, Senior Advisor for Cybersecurity and Risk at the American Hospital Association.
“We believe a ransomware attack on a hospital crosses the line from an economic crime to a threat-to-life crime, and therefore should be aggressively pursued as such by the government” — John Riggi
“Phishing remains the primary method to introduce malware and ransomware into hospitals, requiring dedicated, diligent hospital staff to monitor and educate workforces that are already strained due to the pandemic,” Riggi testified.
“Of all the attacks [on hospitals], ransomware attacks are a top concern,” he added.
“These attacks could disrupt patient care, deny access to critical electronic medical records and devices resulting in canceled surgeries and the diversion of ambulances, plus putting patient lives and the community at risk.”
If a state-sponsored hackers or a criminal organization were to gain access to a medical device used by a high-profile target, the hackers could simply switch it off and assassinate their target.
As Richard Staynings, chief security strategist at Cylera, once told The Sociable, “We’re talking about cyber assassination. You no longer need to be MI6 and issued a Walther PPK in order to assassinate someone; you just need to gain access to the medical devices that are keeping that individual alive.”
“Combined use of military and intelligence capabilities, along with economic sanctions to augment law enforcement efforts, can reduce cyber threats to the nation” — John Riggi
According to Riggi, ransomware attacks against hospitals are putting citizen lives at risk, and should be a top priority of the US government.
“We believe a ransomware attack on a hospital crosses the line from an economic crime to a threat-to-life crime, and therefore should be aggressively pursued as such by the government,” he said.
But it’s not just the work of some lonely hacker living in a basement somewhere. Foreign militaries and intelligence agencies are increasingly employing hackers to steal health data and research.
“Foreign intelligence services from China, Russia and Iran have launched cyber campaigns targeting health care to steal COVID-19-related data and vaccine research” — John Riggi
Riggi added in his written testimony, “In a disturbing trend, hostile foreign intelligence services are working in conjunction with cyber criminals (whose hacking capabilities and access are most useful to them) to target a wide scope of networks, including those related to health care.”
“Foreign intelligence services from China, Russia and Iran have launched cyber campaigns targeting health care to steal COVID-19-related data and vaccine research,” he added.
Since most attacks originate from “foreign adversarial safe havens” beyond the reach of US law enforcement, Riggi told the Senate Committee that the “combined use of military and intelligence capabilities, along with economic sanctions to augment law enforcement efforts, can reduce cyber threats to the nation.”
“By defending forward, the government can deter and disrupt these foreign-based cyber threats before they attack.”