This has been a crazy month for ransomware attacks and, unfortunately, the vast majority of them have been focused on healthcare facilities and providers. In fact, no less than five healthcare organizations have been hit in just the last 30 days (and those are just the ones we know about because they were actually reported).
On March 30, King’s Daughters Health in Madison, Ind. had to shut down their EMR after finding a user file infected with a well-known form of ransomware dubbed “Locky.” Then, on April 4, operations at MedStar Health were brought to a screeching halt by a ransomware attack that locked their EMR and demanded a payment of roughly $19,000 worth of Bitcoin to release the data. MedStar chose not to pay the ransom, instead taking the time to restore their system via backups. However, I would bet dollars to donuts that doing so ended up costing them far more than $19,000 when all was said and done.
Of course, ransomware did not just now become a problem. It’s been a serious and growing threat for years. In a joint statement, twenty-nine federal agencies received a staggering 321 reports of ransomware attacks in only nine months (from roughly June 2015 to February 2016). Over the last decade, the Justice Department’s Internet Crime Complaint Center has had almost 7,700 reports of ransomware attacks in which victims paid out a total of $57 million in order to access their locked and/or maliciously encrypted data.
As if all this isn’t scary enough, the FBI recently announced the discovery of a new form of ransomware known as MSIL/Samas that behaves similarly to a computer virus, meaning it can spread through entire networks and between connected devices. Ill-equipped to deal with it, the FBI had no choice but to solicit expert assistance from the US’s often-better-equipped private tech and cybersecurity firms.
This sudden spike in ransomware attacks raises the question (the same question raised by any new form of cyberattack, honestly)—“Why are they doing this?”
The reason is pretty much the same as with any other popular method of cybercrime—ransomware is relatively low-risk, very cost effective, and (perhaps most importantly to cybercriminals) very lucrative.
You see… ransomware does not actually steal any data (as is often the case in most malware-based cyberattacks), so the attackers aren’t using it for data mining or identity theft. However, they have found it’s an even better way to make money… lots of money.
Here’s Why Ransomware Works (for cybercriminals, anyway)
First of all, getting your hands on a ransomware kit is surprisingly cheap. In fact, just about anyone with average computer skills can purchase a basic ransomware kit, such as CryptoLocker, from any number of online dark web vendors for as little as $3,000. Sometimes, these vendors offer “Ransomware-as-a-Service” (RaaS) in which they waive the kit’s purchase price altogether in exchange for a profit-sharing percentage. They provide the ransomware (free of charge) to the cybercriminal or cybercrime group. In turn, the individual or group then agrees to share a percentage of their earnings with the vendor. For example, the cybercrime vendor FAKBEN offers RaaS services for free to users who are willing to give them a ten percent cut of any earnings made from its use.
Ransomware Delivery
Most of the time, this is done by way of spear-phishing emails (which we have talked about previously on this blog). All it takes to deliver the ransomware is for one person in the target organization to click on the email’s spoofed link or to download its malware attachment. Once the ransomware is downloaded, it applies a unique encryption code to the system and/or locks everything down. Often the ransomware’s lock screen provides instructions on how to make payment along with a field for entering the decryption key… which, of course, will not be provided until the ransom is paid.
So now we come to the last part of a ransomware cycle—getting paid. To be honest, most ransomware users are pretty smart when it comes to this part. To avoid detection after they are paid, they often use a Bitcoin account that allows transfer of funds (very quickly) via an extremely hard to trace virtual currency. They are also smart about how much money they demand. They do a good job of coming to amounts that are just low enough to be worth paying while high enough for them to turn a profit. For example, they’ll usually request somewhere between $10,000 and $20,000, but in a few cases traded off the decryption key for less (usually this had to be negotiated, however). Remember, getting started in the ransomware racket only costs a few grand (or, if using RaaS, they simply pay out a percentage to the vendor). Therefore, they are usually able to recoup their initial investment (and then some) in only one attack… so everything after that is pure profit.
In fact, keeping ransomware amounts low has been a fairly steady trend. This is likely due to a situation back in February, when Hollywood Presbyterian Medical Center had its entire operation locked down by a ransomware attack. The infiltrators demanded a payment of 40 Bitcoins, a value of roughly $17,000 at the time. This is a lot less than the $3.4 million amount that several media outlets mistakenly reported at first. However, with a $3,000 investment that’s an extra $14,000 earned (over 450% profit). The hospital paid up, the attackers gave them the decryption key, and the facility’s EMR system was up and running in no time. All’s well that ends well.
Which brings us to an interesting point of fact when it comes to ransomware:
IN EVERY SINGLE KNOWN RANSOMWARE ATTACK TO DATE, ONCE THE RANSOM WAS PAID, THE DECRYPTION KEY WAS DELIVERED AS PROMISED.
Why is this so important? After all, couldn’t the thieves just take the money and run once payment is made?
Sure. They could do that… but if cybercrime groups started doing this (taking the money and not delivering the decryption key), people would likely stop paying ransoms. And they most definitely want people to feel encouraged to pay. This has resulted in a kind of “honor among thieves” situation, where everyone involved in the ransomware racket has silently agreed to always provide decryption keys as long as the ransoms are paid.