Profit allure makes hospitals ‘ground zero’ for ransomware
If you were worried about ransomware two years ago, you were almost certainly either a security specialist or a victim. According to the FBI, U.S. companies paid $25 million in ransom last year, and it expects the 2016 total to be more than $200 million.
What is driving this sudden explosion in what was once a rarely seen Internet crime? Who should be worried? Are the dire predictions likely to come true?
If my experiences during the early years of the phishing epidemic are any indication, the dire predictions will turn out to be wrong—because they weren’t dire enough.
Hackers jumped onto the phishing bandwagon by the thousand when they learned that there was an easy way to make money from their skills. In the early days, stolen credit card numbers were as good as money in the hacker’s pocket. Today, the actual theft of a credit card number is only one step in a complex process of bank fraud.
Until recently, targeting businesses was work for specialist cybercriminals. Businesses have lots of information that is very valuable to them. Only some of that information is valuable to others, and very few criminals had the means to turn that information into money. Ransomware is a business model from which almost any criminal hacker can profit.
Like phishing in the early years, ransomware is a two-step crime: you send out the malware and then wait to collect the money through bitcoin. That is why it is now the No. 1 IT security threat facing organizations of every size.
Money isn’t just a motive; money is the enabler. Cybercriminals whose crimes make money can invest in new attacks, invest in defeating countermeasures and invest in developing new targets.
Until recently, attacks on critical infrastructure and the Internet of Things have also been rarely realized theoretical concerns. There are many hackers who would think that bringing down a power station with a cyberattack is cool, but making that happen would require a group effort to build the necessary hacker tool chain.
Ransomware delivers both the motive and the resources to make that happen. And once that ransomware-funded tool chain exists, it will be launched for many other purposes, ranging from idle curiosity to political vengeance.
Over the past 30 years, the world has become increasingly dependent on computer systems and computer communications infrastructure. In addition to a number of negative effects in the public sphere, attacks on healthcare organizations can have devastating results on patient care and on the efficiency of the professionals who work at them.
We live in a technology trap that, until recently, nobody has had both the means and the incentive to trigger. Ransomware is the game changer.
Current backup strategies were, for the most part, designed in the 1970s to deal with the problem of hardware failures and natural disasters. Enterprise backup systems make recovery from a ransomware attack possible, but they don’t make recovery quick or easy and, until recently, they didn’t need to. What was the chance that you would need to re-image every one of a thousand machines in your network from off-site backup?
Some of the recent ransomware attacks have targeted the backup strategies themselves. One particularly nasty example lurks silently in the background, providing transparent access to the locked files for 30 days or more—just enough time to let those backups be overwritten.
Compounding the problem is the fact that disk storage has run far ahead of archive technology. A 6TB hard drive costs a couple of hundred dollars. The only readily available, cost-effective archive medium for such a device is another 6TB hard drive. Of course, you can pay $5,000 for a ‘6TB’ linear tape system that is really only 2.5TB because the rated capacity assumes the data can be compressed, but you still have to get the data from the desktop to the archive. And even the very best enterprise backup system can only help recover the computers that are actually connected to it —a major challenge in the new world of Internet of Things.
As every backup storage vendor will attest, backup must always be the last line of defense. The first line must always be making sure that computers don’t get infected in the first place.
All three prongs of anti-malware defense are now essential: Scan inbound email to eliminate executable payloads and links to malware sites; block access to the malware sites themselves; and run default-deny antivirus on every computer. That just leaves one small problem: How does the modern enterprise even know how many computers it has?
One of the main reasons hospitals have become ground zero for the ransomware attacks is that almost every modern medical device is now a computer. They are computers with highly specialized peripherals, and many run the consumer operating systems that hackers already know how to subvert. It is not uncommon to find a multi-million dollar device such as an MRI machine running Windows XP Embedded, an operating system version that was last updated when it was retired in 2011.
Would doctors consider it acceptable to use a medicine five years after the manufacturer’s expiration date? They do that with equipment every day. Until recently, that hasn’t been a problem because even though vulnerabilities existed, there hasn’t been much of an incentive to create exploits targeting hospitals. Ransomware has changed that.
So how do the authorities bring the ransomware epidemic under control before it becomes a pandemic? The lesson we learned from the phishing epidemic was that the surest way to deter profit-motivated Internet crime was to cut off the money supply.
Arresting mules and money movers didn’t put the people behind the phishing scams behind bars, but it did reduce their earnings. The wholesale price of stolen card numbers collapsed as a series of new countermeasures made using them the hard part of the crime.
The infrastructure that makes ransomware possible is bitcoin and its imitators, and the epidemic will continue to grow until they are shut down. The idea of shutting down bitcoin is controversial in the technology community, of course, but not in law enforcement. Those of us that have followed the Internet payments field since its start know that bitcoin is not the first, but merely the latest in a long list of similar schemes. E-Gold, Gold Age, Liberty Reserve and dozens more all promised to be secure against the threat of government regulation, until the day the FBI came calling.
Right now, ransomware isn’t quite enough of a problem for the regulators to make a move. If the problem gets worse at the same rate phishing did, they will have little choice.