Ransomware is a type of malware that hackers use to take possession of computer and phone systems. Once that ransomware has been successfully deployed onto somebody’s system, they can not regain control of it until a particular sum of cash has been paid.
When ransomware was first born, it was used to get a payout from what you might consider ‘smaller’ targets. The first mass-used version was CryptoLocker, and it used asymmetric encryption that required a public and private key to unlock the victim’s files. The sums of money involved were hardly ever enormous (usually around $300) and, often, the malware was employed by computer-savvy employees that had become disgruntled with an employer, manager or colleague for some reason – to the point of revenge.
Then the problem spread. Pletor was the first Trojan for Android and allowed hackers to lock people out of their smartphones. Pletor would often be used to target people that downloaded cracked software (such as phone jailbreaking software), whereupon noticing the huge amount of pirates around; hackers decided to disguise ransomware in place of the desired software. Just like with CryptoLocker, a timeline would be set, and people would have little or no hope of regaining control of their private data until they had paid the money.
In fact, ransomware is so well designed, that if you are unlucky enough to end up with a version on your system, even the FBI advise people that (if they want to regain control of their machines) they should pay the ransom. That is because the type of encryption used in these nasty payloads is usually incredibly robust, and, sadly, cannot easily be penetrated with brute force.
Of course, because we live in a world with 7 billion people, it is pretty rare to be ‘hit’ by a ransomware attack – but do not let that fool you – we are all at risk to some degree. That is because these types of malware can be delivered via social hacking techniques such as phishing (via infected malicious websites or emails), and sadly those risks are getting more frightening and more frequent as more time goes on.
Take last week for instance, when Hollywood Presbyterian Medical Center in Los Angeles decided to pay up the bloodcurdling equivalent of $17,000 (40 Bitcoins) in order to regain control of its computer systems. A system-snatch that has got cybersecurity experts everywhere worried that the use of Ransomware may indeed be escalating by insidious proportions.
Thankfully the hijack did not put patients directly at risk, and the medical centre’s procedures were able to continue unabated throughout. The president of the hospital, Allen Stefanek, has explained in a written statement that despite patient care being uninterrupted, the decision to pay the bloodcurdling sum was made ‘in the best interest of restoring normal operations.’ What is troubling cybersecurity professionals, however, is that this may set a precedent and inspire cyber criminals to take other hospital’s computer systems captive.
Often (because of the embarrassment involved in such harassment), system-jacking occurrences go unpublicized. On this rare occasion, however, CHA Medical Center of South Korea (which owns the 434 bed Los Angeles medical institution), decided, for better or worse, to go public about the worrying (10-day-long) penetration: even disclosing the exorbitant sum involved in regaining control of its systems.
Lyser Myers from security firm ESET, says that hospitals could be at serious risk of an increase in these types of attacks. That is because many hospitals are running outdated software that can easily be sequestered by an ever-growing hacker community, which now even includes teenagers its ranks. Teenagers savvy enough to hack into the head of the CIA’s email account.
Despite the scary life and death risks involved: the health sector has not managed to keep on top of security updates at the same rate as other businesses, with hospitals ‘about 10 to 15 years behind the banking industry,’ according to Myers.
California State Senator Robert Hertzberg last Thursday pushed through legislation to make ransomware identical in severity to the crime of blackmail or extortion, making its implementation punishable with four years in prison. Commenting on the L.A. hospital’s attack Hertzberg said the following,
‘It’s no different than if they took all the patients and held them in one room at gunpoint.’
Although that comparison may seem a tad extreme, there is indeed a worry amongst security professionals that if a life-saving system (such as a dialysis machine) did become infected during an attack – hospitals would have to rush to pay the bounty – lest face the crushing reality of loss-of-life at the hands hackers.
In accordance with a shared fear across the industry, Bob Shaker of cyber security firm Symantec Corp said that he knew of around 20 similar attacks that had happened within the health sector in the last year alone. Those had been kept off the public radar, both to avoid public relations fallout and in an attempt to not over-publicise the availability of such attacks to powerful and heartless cyber criminals. ‘Our number one fear is that this now pretty much opens the door for other people to pay,’ commented Shaker.
Unfortunately, this problem is simply not going away; with IBM already warning last August that the threat of ransomware had already matured out of attacking end users for smaller payouts, and advanced to focussing on extorting higher amounts from corporate targets. Sadly for the medical profession – with the danger of a loss of life on its hands – hackers may well see them as a target that has no choice but to pay out quickly, quietly and without any fuss.
‘Hospitals are certainly now aware of ransomware more than they ever were before, and this has become a very real threat,’ said spokeswoman Jennifer Bayer of the Hospital Association of South California.
Considering that ESET’s Lyser Myers feels US hospitals fall way short on cybersecurity – with NHS Hospitals in the UK as underfunded as they are – one can not help but worry if those hospitals may also become a target for greedy cyber criminals.