A friend of mine is an MD at a major hospital in the midwest. As I've understood it this is standard practice for them. Their computers freeze up, and the message - my friend has sent me screen shots - will say something like "Hi <hospital name>, the computer is encrypted, please contact the IT department", IT department pays the ransom and the computers kick back on.
From a financial POV, as long as the ransom costs per year is lower than the cost to replace their Cerner systems, it makes sense to simply see it as the cost of operations I guess?
> as long as the ransom costs per year is lower than the cost to replace their Cerner systems, it makes sense to simply see it as the cost of operations I guess?
Sort of. Unless the cost and frequency of ransomware incidents are absurdly low, it makes sense to borrow to upgrade. Putting aside the moral hazard of being a compliant mark, there is the risk that the next attack won't be as cheap.
Their vendor ought to figure out the hospital's mean annual ransom payment, and come up with financing for an upgraded system that comes out to that amount. Now the cost is locked in, while the variance is sharply reduced. (No risk ever goes to zero.)
Excellent comment, and indeed this seems like a much saner approach. I guess one complicating factor is the risk that an upgraded system remains vulnerable, which you'd need to account for in some manner.
That makes me wonder whether the usual malware came from phishing or vulnerabilities.
If it's phishing, typical staff clicking suspicious emails and opening URLs and attachments, there isn't a lot the hospital can do to stop it. A bit of blocking around external emails and shady attachments will help, but people will still fall for it quite often.
If it's remote vulnerabilities, probably some unpatched systems, it's risky because that could parallelize the whole hospital anytime, but as long as the vulnerability is patched by the ransomware it's still cheaper than doing the maintenance.
>If it's phishing, typical staff clicking every suspicious email uncarefully opening URLs and attachments, there isn't a lot the hospital can do.
Not give typical staff the user permissions required to encrypt all the databases and delete the backups? Too bad info sec is so full of snake oil salesmen, obvious practical solutions exist for these type of problems they just generally don't involve spending six figures on a product so nobody is interested in them.
The impact of staff clicking suspicious emails can be almost entirely eliminated by severely restricting user permissions. Only a special set of administrator accounts should be allowed to execute untrusted binaries. Regular users can only run trusted whitelisted applications.
Perhaps a dumb question... How does ransomware propagate from end-user PCs to the servers that host critical applications and data? Surely, they don't allow end-users to run email or access the web from "secure" servers?
I'm not sure how the terminals are organized in terms of how locked down they are, but it's specifically occurring on the terminals they use for accessing patient data; they all freeze up simultaneously. It stops the entire hospital from operating each time until IT pays the bill.
IIRC the modus operandi for at least a few of these large ransomware attacks was that the initial attackers who succeed in phishing or whatever would install a remote backdoor there and sell the access for something like $2-10k to professional teams who have the infrastructure and capacity to handle it "properly" - use that foothold to spread across all the workstations, gain user credentials to access servers and destroy backups, and then trigger ransomware everywhere at once perhaps a week after the initial infection, transforming it from a driveby nuisance to a targeted attack that's hard to recover from and that can justify a big payout. Some of the victims had reasonable backups, but they were intended for disaster recovery, not malicious action; so they were accessible from the compromised machines and thus could be disabled or destroyed.
An automated attack that manages to hit a random workstation can extract a ransom of a couple hundred dollars; but if they invest a couple day's hacker labor to move deeper, then there are many public cases of $50 000 - $500 000 ransoms paid, and multiple cases such as Baltimore city and Atlanta city which suffered losses in excess of $10m as a result of not paying the ransoms.
Unfortunately many of the applications in this space basically operate by placing the "database" on a file share that people have access to. This also involves heavy use of OpLocks, causing you to be required to neglect security advise to disable SMBv1. Even without without malware gaining RCE on the server, the end result is encrypted server data.
Redesigning your environment is hard and expensive so it's easy to see why hospitals and similar industries are so behind and vulnerable.
BUT, given that important data needs to be backed up anyway, most commodity backup software and commodity storage platforms are sufficient to restore encrypted data. Even Windows shadow copying feature (which lots of storage platforms will expose snapshots/revisions as) is pretty sufficient to prevent significant data loss.
So unless the ransom cost is cheaper than an IT tech reimaging/rebuilding the machine + compliance costs, it doesn't really make sense.
It's not really fair to bring Cerner into this. The security vulnerabilities that enable these malware attacks are unlikely to be in Cerner applications. Instead it's usually an OS or email problem.
Nah, most large organizations already have kidnap and ransom policies that pay off in event of extortion.
They often also have cyber insurance that covers data leaks, but even without cyber insurance the K&R policy often covers costs to recover from ransomware, either by paying the ransom or by replacing/restoring systems.
Ugh I hate when reports are published but lack basic information like malware family and indicators of compromise. The FBI FLASH reports are the worst offenders. I suspect in this case the hospital did not share maybe due to legal reasons?
Paying a ransom is like defecting in a prisoner's dilemma: it benefits you at the expense of hurting everyone else who will be stuck in the same situation. Making it illegal just forces everyone to cooperate and is something everyone would prefer.
Should be possible to prosecute under existing laws: you're providing support to a criminal enterprise, sounds illegal already.
When Randsomware was a new idea and seemed to be primarily targeting individuals, it made sense that paying your way out should ultimately be legal. Any law against it would be difficult to enforce, so bad actors would still be incentivized to launch attacks, and only law abiding citizens would be hurt.
But now they're attacking banks, and hospitals, and cities. I have trouble imagining large hospital systems would be able to discretely pay hundreds of thousands of dollars illegally without anyone noticing—and if they did, it would be easy to prosecute.
Ergo, outlawing these payments should very significantly reduce the number of ransomware attacks against these large targets. If no one can pay, there's no incentive to attack.
This story provides a good counterpoint. What if doing so saves lives at a hospital who needs to get back online ASAP? A "saves lives" loophole?
Not to mention every law should first be measured on whether it is at all practical to meaningfully enforce. I guarantee there has been 100x more companies who've paid the ransom and didn't release a press release like this one did.
If a whole bunch of people are going to do it anyway quietly and the law isn't going to stop them, we're just going to occasionally double up the fines on the random businesses that get caught. While these endless ransomware hackings continue.
I'd much rather we spent public resources on prevention.
Put another way, which would you rather do, indirectly kill people or break the law? This is the decision a hospital administrator would be faced with. I suspect that most people would see fit to disobey the law in this situation. It could easily be argued to be a legitimate case of civil disobedience.
I work in this space. Its probably not a matter of kill people, doctors in ER's don't really need a EHR to function and sometimes do without due to technical issues. The issue is that the hospital won't be able to bill without documentation.
If you're attacking a public institution like a hospital and demanding many thousands of dollars... it's pretty hard to hide a payment like that. So if you outlawed paying such ransoms, those types of ransoms would stop.
Individuals would still be attacked and asked to pay a few hundred dollars, but such instances rarely put lives at stake.
Set a threshold where payments above that amount are illegal. Even a threshold at say, 25k or above will reduce the incentive to attack individual systems, and payments of that size are difficult to hide if everyone knows they're illegal.
The idea behind not paying is that it makes ransomware unprofitable and people stop doing it. A loophole for saving lives would cause ransomware distributers to target their attacks in ways that endanger lives.
It wouldn't need to work that way. If a law was past mandating that in 5 years paying ransoms would be illegal then companies would be forced to either invest or be held liable after that grace period.
Of course there could be an exception process that involves contacting LE first, paying the ransom, being fined and audited, and having to disclose a report online and in front of the entrances of the when, why, and how this occurred. Paying the ransom w/o going through this process could (maybe?) be treated as conspiring with the attacker (& since the identities of the attackers are almost always 100% unknown, some could legitimately have inside contacts anyway).
What if the malware changes a medical record (maliciously or accidentally), and the discrepancy leads to a lost life? Seems strange to hang lives on the word of criminals, if lives are really at stake.
>Not to mention every law should first be measured on whether it is at all practical to meaningfully enforce. I guarantee there has been 100x more companies who've paid the ransom and didn't release a press release like this one did.
Let's say you're the in C-suite of a hospital that's held for $1M ransom, and you want to pay. How are you going to send the funds without someone in finance/accounting finding out? Maybe you try to convince them to keep quiet? Such a transaction will almost surely generate a suspicious activity report from the bank. Are you going to try structuring the transaction? How are you going to hide that $1M defect in your quarterly/annual reports? Are you just going to hope it doesn't get noticed by the IRS or the accountants auditing your report? The whole thing is going to unravel because of how many people you need to be "in" on the criminal conspiracy, and the amount of noise it generates. If you're caught, the amount of papertrail you left behind (from literally every step of paying the ransom) would make it very easy to prosecute.
You could try laundering your activities to a third party firm that does "ransomware recovery" (ie. they take your money and pay the ransom for you), but I'd imagine that if paying ransoms were illegal, the activities of those companies would be closely scrutinized.
I 100% disagree. Sometimes it is the only way to get things back running. I understand its the organization's fault for not having backups. It would destroy some businesses, hospitals, schools if they weren't able to pay the ransom.
> Sometimes it is the only way to get things back running. I understand its the organization's fault for not having backups. It would destroy some businesses, hospitals, schools if they weren't able to pay the ransom.
That doesn't change the game theory dynamics that I pointed out above.
This is assuming you can time travel. In reality, you have no idea what hospital your loved ones will end up at, nor whether they will (chances are they will not), nor what systems to protect in advance. On top of that, you would have to convince others that the investment is worth making.
They surely would. However we generally try to treat being too close to a topic emotionally as a reason to distance someone from it, not to value their opinion more.
Judges don't recuse themselves because someone they know wasn't involved in the case.
There's also no guarantee that paying gets you your data back. Either because the random holders don't care, or because a white hat killed off some part of the ransom holder's communication channel.
> Making it illegal just forces everyone to cooperate and is something everyone would prefer.
Doesn't making it illegal just change the cost structure? The penalty for illegally paying a ransom in your proposed system would be simply to pay a fine. It's effectively how a rich person might look at a parking ticket for a premium parking spot - it might be cheaper for them to simply pick the illegal spot than to have to drive 2 miles away and call an uber to get to their destination.
I'd make it a crime punishable by prison in proportion to the amount paid, or perhaps require a multiple of the amount paid as a fine. If you need to pay 10X the ransom as a fine, then the ransom criminals can extract goes down by a factor of 10.
I’d be ok with it only if the ceo and the board are the ones going to prison and there’s a minimum mandatory sentence of (at least) one year with no possibility of parole or commutation or anything like that.
To what avail? CEOs regularly make much worse decisions that create much more grave externalities (example - oil spills). There's much bigger fish to fry than for-profit hospital systems....
But doesn't eliminate hackers who do this type of stuff for the "lulz" (and if anything, makes it worse and potential a weapon for people who want to promote larger government). I understand the general premise of the proposal, but it's not a fool-proof check on game theory.
But the stories of hospitals and other entities paying non-trivial sums in ransom I would expect are mostly professional criminals, not hackers doing it for lulz.
For conversation's sake, what if the victim is a small/mid-size business where the entire business would be destroyed in the event their systems are not unlocked immediately? Do they choose between possible prison time or definite loss of everything?
Enforcing a fine relative to the ransom paid (and maybe relative to the "if we wouldn't have paid it" severity) is probably a good immediate start. This would at least galvanize businesses to improve existing security.
Small businesses would have been destroyed by all sorts of rules that have already been passed. Companies whose entire service was dumping asbestos in to lakes or companies who only managed to turn a profit by hiring child labour. Their owners had to choose between possible jail time or losing everything.
Every single thing done by a government, or really just any large player in the market place, is going to have small businesses that get flattened by it. That your entire company could be wiped out by changes in the marketplace, including laws, is one of the risks a person assumes when they decide to start a small business instead of working as an employee. They're earning their slice of the money pie in part by assuming that risk.
Sure, let use the DEA to enforce that law since they are already experts at persecuting victims.
How about instead the government proactively pentests and fines orgs for security violations,and uses the money to finance education, training, and security development?
Sure, that user can encrypt all the documents that they have access to and care about, so that can be the target of a ransom. Also, in many smallish organizations users have access to e.g. a common network share, so in the absence of proper backups, a single compromised user (e.g. the owner/manager's administrative assistant with access to all kinds of documents) may be able to seriously disrupt the whole organization.
I don't see how this would help when all of this ransomware is usually a javascript dropper that gets in through the browser, encrypts files, and then gets out after the damage is done.
The only thing that ever saved us in the half dozen or so times that we've been hit is a robust backup system.
Are you certain that was the attack vector, and if so which specific browser vulnerability was it? I'm not aware of any browser JavaScript sandbox escape vulnerabilities that would allow file write access since about 2015. While it's remotely possible there is a zero-day vulnerability being exploited out there it seems highly unlikely. If your organization has been hit multiple times by similar problems then the IT management must be terribly incompetent.
For starters, have reliable backups. If you can just go offline for a day or two, wipe your system, restore, and come back online, you have little reason to pay the ransom.
How arrogant to comment that these hospital systems should have been secured by now, given that WannaCry has hit hospitals in the past couple of years. Shows a lack of understanding of the economics of security. I agree with the point made by others about not negotiating with terrorists. Outlawing payments would not prevent the attacks, though, the prisoner's dilemma will remain. I am not an economist, but as long as the value of the assets being rescued is greater than the value of the money handed over, the trade will occur. At some point, yes, the ransom will be too great, but the parties will continue to seek the path of least resistance.
Yeah, we should just accept their mediocrity! After all, you can’t expect people to take all these difficult security measures like installing updates and using complex passwords.
I said nothing of the sort. Only that the manner in which the security expert commented on their practices came off high and mighty. Knowing how to secure a system is not enough, knowing how to get there matters.
The untold story in these things is the role of forced EMR regulations. I've worked in healthcare for some time, as does my spouse and my family.
These record systems used to all be developed in-house systems, fully self supporting, with little outside involvement. Then in the 2000s gov regulations started mandating adoption of EMRs.
Especially here this seems like a no-brainer but in actuality for many hospitals they were unnecessary and introduced with massive cost overruns as hospitals were forced to buy them from a limited pool of vendors that were approved by deadline rather than by intrinsic need.
How does this relate to the ransoms? Because if the EMRs were adopted organically, my guess is it would have happened more gradually, with more diversity of systems, more open source, more testing, and more emphasis on security, backup, and self-reliant reliability.
It's hard to overemphasize the change in records infrastructure in hospitals due to mandated EMRs, and a lot of it has been for the worse. EMRs would have been implemented eventually without the mandates, but at lower cost and greater security probably.
It's just another example of how overregulation in healthcare that sounds good but in practice ends up creating unnecessary costs and causing problems. It also once again doesn't get attention in healthcare price discussions, because it's structural, indirect, and removed from the immediate billing.
I blame these types of ransomware attacks in part on EMR mandates and those who encouraged them. Should bthe federal gov, which encouraged this mess, pay the costs, either of the ransoms, or the cost of not paying?
71 comments
[ 5.3 ms ] story [ 126 ms ] threadFrom a financial POV, as long as the ransom costs per year is lower than the cost to replace their Cerner systems, it makes sense to simply see it as the cost of operations I guess?
Sort of. Unless the cost and frequency of ransomware incidents are absurdly low, it makes sense to borrow to upgrade. Putting aside the moral hazard of being a compliant mark, there is the risk that the next attack won't be as cheap.
Their vendor ought to figure out the hospital's mean annual ransom payment, and come up with financing for an upgraded system that comes out to that amount. Now the cost is locked in, while the variance is sharply reduced. (No risk ever goes to zero.)
Bundle the financing with cybersecurity insurance.
If it's phishing, typical staff clicking suspicious emails and opening URLs and attachments, there isn't a lot the hospital can do to stop it. A bit of blocking around external emails and shady attachments will help, but people will still fall for it quite often.
If it's remote vulnerabilities, probably some unpatched systems, it's risky because that could parallelize the whole hospital anytime, but as long as the vulnerability is patched by the ransomware it's still cheaper than doing the maintenance.
Not give typical staff the user permissions required to encrypt all the databases and delete the backups? Too bad info sec is so full of snake oil salesmen, obvious practical solutions exist for these type of problems they just generally don't involve spending six figures on a product so nobody is interested in them.
An automated attack that manages to hit a random workstation can extract a ransom of a couple hundred dollars; but if they invest a couple day's hacker labor to move deeper, then there are many public cases of $50 000 - $500 000 ransoms paid, and multiple cases such as Baltimore city and Atlanta city which suffered losses in excess of $10m as a result of not paying the ransoms.
BUT, given that important data needs to be backed up anyway, most commodity backup software and commodity storage platforms are sufficient to restore encrypted data. Even Windows shadow copying feature (which lots of storage platforms will expose snapshots/revisions as) is pretty sufficient to prevent significant data loss.
So unless the ransom cost is cheaper than an IT tech reimaging/rebuilding the machine + compliance costs, it doesn't really make sense.
Just think when stealing patient and financial information becomes more profitable than what regular ransom ware demands net.
Even more, perhaps targeted assassination based on screwing up data? Demanding silence and cooperation for whatever the cyber-criminal do?
My wife is a resident. Nearly every EMR she's used, has been either Citrix or Remote Desktop based.
They often also have cyber insurance that covers data leaks, but even without cyber insurance the K&R policy often covers costs to recover from ransomware, either by paying the ransom or by replacing/restoring systems.
Paying a ransom is like defecting in a prisoner's dilemma: it benefits you at the expense of hurting everyone else who will be stuck in the same situation. Making it illegal just forces everyone to cooperate and is something everyone would prefer.
Should be possible to prosecute under existing laws: you're providing support to a criminal enterprise, sounds illegal already.
When Randsomware was a new idea and seemed to be primarily targeting individuals, it made sense that paying your way out should ultimately be legal. Any law against it would be difficult to enforce, so bad actors would still be incentivized to launch attacks, and only law abiding citizens would be hurt.
But now they're attacking banks, and hospitals, and cities. I have trouble imagining large hospital systems would be able to discretely pay hundreds of thousands of dollars illegally without anyone noticing—and if they did, it would be easy to prosecute.
Ergo, outlawing these payments should very significantly reduce the number of ransomware attacks against these large targets. If no one can pay, there's no incentive to attack.
Not to mention every law should first be measured on whether it is at all practical to meaningfully enforce. I guarantee there has been 100x more companies who've paid the ransom and didn't release a press release like this one did.
If a whole bunch of people are going to do it anyway quietly and the law isn't going to stop them, we're just going to occasionally double up the fines on the random businesses that get caught. While these endless ransomware hackings continue.
I'd much rather we spent public resources on prevention.
If no one paid the ransom, ransomware wouldn't exist. the more people who pay the ransom, the more incentive attackers have to create ransomware.
Even if we made it illegal, it doesn't mean people wouldn't pay them.
Even if we made it illegal, it doesn't mean people wouldn't pay them. It would just punish victims further.
I guess you didn't read the second half of my comment where I suggest that will likely be idealistic and unreleastic.
Enough companies will still pay quietly to keep it going. I'd be shocked if they didn't.
If you're attacking a public institution like a hospital and demanding many thousands of dollars... it's pretty hard to hide a payment like that. So if you outlawed paying such ransoms, those types of ransoms would stop.
Individuals would still be attacked and asked to pay a few hundred dollars, but such instances rarely put lives at stake.
Governor Rick Scott of Florida stole a Billion dollars from Medicaid before he got caught.
Of course there could be an exception process that involves contacting LE first, paying the ransom, being fined and audited, and having to disclose a report online and in front of the entrances of the when, why, and how this occurred. Paying the ransom w/o going through this process could (maybe?) be treated as conspiring with the attacker (& since the identities of the attackers are almost always 100% unknown, some could legitimately have inside contacts anyway).
Let's say you're the in C-suite of a hospital that's held for $1M ransom, and you want to pay. How are you going to send the funds without someone in finance/accounting finding out? Maybe you try to convince them to keep quiet? Such a transaction will almost surely generate a suspicious activity report from the bank. Are you going to try structuring the transaction? How are you going to hide that $1M defect in your quarterly/annual reports? Are you just going to hope it doesn't get noticed by the IRS or the accountants auditing your report? The whole thing is going to unravel because of how many people you need to be "in" on the criminal conspiracy, and the amount of noise it generates. If you're caught, the amount of papertrail you left behind (from literally every step of paying the ransom) would make it very easy to prosecute.
You could try laundering your activities to a third party firm that does "ransomware recovery" (ie. they take your money and pay the ransom for you), but I'd imagine that if paying ransoms were illegal, the activities of those companies would be closely scrutinized.
That doesn't change the game theory dynamics that I pointed out above.
Judges don't recuse themselves because someone they know wasn't involved in the case.
https://www.bleepingcomputer.com/news/security/ryuk-ransomwa...
Doesn't making it illegal just change the cost structure? The penalty for illegally paying a ransom in your proposed system would be simply to pay a fine. It's effectively how a rich person might look at a parking ticket for a premium parking spot - it might be cheaper for them to simply pick the illegal spot than to have to drive 2 miles away and call an uber to get to their destination.
No offense, but this proposal is essentially DOA.
As for size of fish, we don't go "why is theft illegal when there are murderers still roaming around?" We can have both be illegal.
But the stories of hospitals and other entities paying non-trivial sums in ransom I would expect are mostly professional criminals, not hackers doing it for lulz.
Enforcing a fine relative to the ransom paid (and maybe relative to the "if we wouldn't have paid it" severity) is probably a good immediate start. This would at least galvanize businesses to improve existing security.
Every single thing done by a government, or really just any large player in the market place, is going to have small businesses that get flattened by it. That your entire company could be wiped out by changes in the marketplace, including laws, is one of the risks a person assumes when they decide to start a small business instead of working as an employee. They're earning their slice of the money pie in part by assuming that risk.
How about instead the government proactively pentests and fines orgs for security violations,and uses the money to finance education, training, and security development?
If the user is using Windows 10 Professional and doesn't have admin access, can they still be a victim of a ransomware attack?
You don't (well, not with 100% certainty anyways), you mitigate the harm.
https://docs.microsoft.com/en-us/windows/security/threat-pro...
The only thing that ever saved us in the half dozen or so times that we've been hit is a robust backup system.
These record systems used to all be developed in-house systems, fully self supporting, with little outside involvement. Then in the 2000s gov regulations started mandating adoption of EMRs.
Especially here this seems like a no-brainer but in actuality for many hospitals they were unnecessary and introduced with massive cost overruns as hospitals were forced to buy them from a limited pool of vendors that were approved by deadline rather than by intrinsic need.
How does this relate to the ransoms? Because if the EMRs were adopted organically, my guess is it would have happened more gradually, with more diversity of systems, more open source, more testing, and more emphasis on security, backup, and self-reliant reliability.
It's hard to overemphasize the change in records infrastructure in hospitals due to mandated EMRs, and a lot of it has been for the worse. EMRs would have been implemented eventually without the mandates, but at lower cost and greater security probably.
It's just another example of how overregulation in healthcare that sounds good but in practice ends up creating unnecessary costs and causing problems. It also once again doesn't get attention in healthcare price discussions, because it's structural, indirect, and removed from the immediate billing.
I blame these types of ransomware attacks in part on EMR mandates and those who encouraged them. Should bthe federal gov, which encouraged this mess, pay the costs, either of the ransoms, or the cost of not paying?