Ransomware Attacks – A Story of Sanctions, Risks, Damages, and How to Prevent an Attack Ransomware is malicious software or malware that is designed to prevent access to a computer network or to data through encryption to extort ransom payments from the victims in exchange for decrypting the data and restoring network access to the victim organization. Ransomware attacks can cripple an organization by halting operations, shutting down computer systems, and disconnecting networks. The Federal Bureau of Investigations (FBI) reported that ransomware attacks have increased 37% from 2018 to 2019, while losses have increased at an alarming rate of 147% during the same period. The antivirus software firm, Emsisoft, reported that the average ransomware demand has increased from $5,000 in 2018 to $200,000 this year. Sanctions The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory on October 1, 2020 to inform the public about the risks of sanctions associated with payments of ransom to cyber actors. Ransom payments could possibly violate the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA). Demand for ransomware payments has increased significantly due to the COVID-19 pandemic, which allows criminals to profit and advance their illicit activities. Funding ransomware demands may also enable cyber criminals to perpetrate activities that threaten our national security and foreign policy objectives. U.S. persons are prohibited from participating in transactions with individuals or entities on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List) and those covered by country or regional embargos such as Cuba, North Korea, Ukraine, and Syria. Violations under these regulations create cause for OFAC sanctions, which include civil penalties that may exceed $1 million. OFAC indicated within the advisory that they would be enforcing sanctions against organizations that paid ransoms to cyberattack criminals included on the SDN List or from an embargoed jurisdiction. The most recent individuals, organizations, and jurisdictions added to the designation list include – • Evgeniy Mikhailovich Bogachev, developer of Cryptolocker, an early ransomware that infected more than 234,000 computers, half of which were in the U.S. • Two Iranian nationals behind SamSam, the ransomware that crippled the City of Atlanta in 2018 • Lazarus Group, sponsored by the North Korean government and responsible for the WannaCry attacks that shutdown computers worldwide • Evil Corp, Russian criminal gang that used Dridex malware to steal $70 million from US and European banks Sanctions are levied using the “strict liability” principle, meaning that an organization can be sanctioned even if it was not aware that it was engaging in a transaction with a cybercriminal prohibited under OFAC laws and regulations. The sanctions also apply to organizations that help the victim entities recover from a cyberattack, including cyber insurance firms, financial institutions, and digital forensic and incident response firms. Sanctions can be severe if the ransomware attack is not reported to law enforcement in a timely manner. Cooperation with law enforcement’s investigation efforts is a significant mitigating factor during OFAC’s evaluation of a possible enforcement outcome. Other factors include the willfulness or recklessness of the violation, awareness of conduct at issue, harm to sanctions program objectives, and remediation efforts. Healthcare Ransomware Risks Cyberattacks targeting healthcare organizations have increased 150% in 2020 according to a report by C5 Alliance. Recent attacks on healthcare organizations have prompted a warning from U.S. law enforcement agencies. On October 28, 2020, a joint cybersecurity advisory notice was issued by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Department of Health and Human Services (HHS). The alert notice advised that healthcare and public health sector organizations are being targeted by cybercriminals to infect systems for financial gain. CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers. Attacks on healthcare organizations are threat to life crimes because they can affect a healthcare provider’s ability to provide patient care. In October 2020, several hospital systems in Vermont and New York were attacked by a strand of ransomware called Ryuk, which has been linked to a Russian cybercriminal gang sometimes referred to as UNC 1878 or Wizard Spider. Ryuk is transmitted using a botnet known as Trickbot. Three other hospital chains in Oregon, Michigan, and Wisconsin have also been attacked by the same ransomware. Universal Health Services’ facilities were attacked by Ryuk, which affected all its 250 hospitals and clinics, crippling digital services and impacting patient care services. Healthcare organizations are at increased risks for ransomware cyberattacks for the following reasons – • Large number of patient records – On average, over 7,200 patient records are impacted during a ransomware attack. These records can be traded and sold on the dark web to criminals who are seeking to commit identify theft crimes or extort funds or information from individuals. • More likely to pay to recover data – Ransom demands are usually cheaper than efforts to recover data held hostage. Healthcare organizations are often unprepared for cyberattacks and are left with no options to recover data except to pay the ransom. The sense of urgency is increased due to sensitive nature of patient data. These factors play to the cyber attacker and make it more likely that the healthcare organization will pay the ransom demand. • Less sophisticated IT departments and controls in place to protect data – Small to midsize healthcare organizations often operate with less sophisticated data security protections and lack corrective action plans and resources to respond to cyberattacks that make recovery from an attack successful. • Fewer resources to invest in cyber protection - Nonprofit and public healthcare organizations operate on lean budgets, which may restrict resources that can be invested in data security measures and controls. Based on a survey by Keeper Security, a full 90% of healthcare organizations dedicate less than 20% of their IT budget to cybersecurity. • Complexity of networks and systems - Healthcare organizations are complex organizations where a broad range of technology, internet of medical things, operational technology, and internet of things devices are interconnected. • Endless devices connected to networks – Healthcare networks include a wide array of endpoints, ranging from computer systems, surgical equipment, telemedicine platforms, medical sensors, and infusion pumps. Healthcare organization contain an average of 20,000 devices. Payments of ransom perpetuate the crime and embolden criminals to continue their activities. Unfortunately, paying the ransom is often the fastest and least expensive way to recover your data if your organization did not have the proper data security measures in place to protect the system. Many organizations assume that paying the ransom will resolve the problem. However, this rarely results in the desired outcome. Reports from federal law enforcement agencies indicate that less than 30% of organizations that pay the ransom recover access to their data and network systems. Cybercriminals want money, not data. However, most will not decrypt data since it might lead investigators back to them. Ransomware Attack Damages Malware can enter a network system through a variety of way, but the most common method is through phishing emails that contain embedded links or attachments. On average, employees receive over 120 emails daily and all it takes is one opened attachment to compromise an entire network. Ransomware attacks can cause damage in a variety of ways, including – • Loss of reputation – Patients depend on providers to protect their sensitive health information and their lives via connected health devices. When that health information is compromised, the trust has been broken. • Downtime that leads to lost revenues – Cyberattack victims waste time and resources trying to recover from an attack instead of focusing on patient care. • Threaten the lives of patients – If the data being held hostage involves sick or dying patients, the cyberattack may threaten the lives of those patients. • Loss of sensitive patient data – Health information related to chronic illnesses and diseases, as well as personally identifiable information, may be lost if the data has not been backed up or is not recovered. • Delayed patient care – Urgent patient care is sometimes delayed until paper records can be obtained in place of digital records or until patient records are recovered from a backup or from the cybercriminal. • Ambulatory care reroutes – Network and system application compromises may render an emergency department inoperable, requiring ambulatory cases to be rerouted to other hospitals. The other hospital may be further away or may not have facilities to care for specific patient needs, which can result in patient deaths. • Cancelled appointments – If networks and systems are compromised, patient records cannot be accessed during scheduled appointments. Therefore, appointments end up being cancelled. • Refer patients to other facilities to receive timely care – Cancer patients or terminal illness