In early September, panic-stricken staff at Dusseldorf University Hospital were dealing with a sudden crisis that left them hopelessly overrun. Ambulances loaded with emergency patients were re-routed to other emergency centres, and waiting rooms became chaos zones.
But this was no coronavirus outbreak. A ransomware attack had crippled the hospital’s functions, leaving it paralysed. The facility’s tech networks would only be unlocked upon payment of a ransom. German authorities were sent a decryption key, but not before tragedy struck.
One ambulance arrived at the hospital with a female patient in critical condition. They were re-routed, but the patient died before they reached care. German police have opened a homicide investigation, thought to be the first ever murder by ransomware.
Then another attack. In late September, when staff at Universal Health Services (UHS) – a network of 400 hospitals and healthcare units across the US and UK – attempted to log in, their systems failed. What began as annoyance quickly became alarm. Computers had been infected by Ryuk ransomware, meaning no access to lab reports, electro-cardiograms and radiology studies. One staff member wrote on Reddit, “When you tried to power back on the computers they automatically just shut down again.”
In critical care, delays are fatal – and amid a pandemic, we are facing more than ever. According to IBM’s 2020 report “Security: Cost of Data Breach”, healthcare companies suffered the largest security breaches on record every year for the last six years. This past year, 52 percent were through malicious attacks. Around 13 percent of these attacks are believed to be the work of hostile governments.
In 2017, the UK’s NHS was impacted by a Wannacry outbreak, which hit some 200,000 computers around the world. Staff were left to use pen and paper, and their personal phones to send texts. NHS Digital told VICE News that their operations centre currently blocks on average over 21 million items of malicious activity every month, and as a direct response to the COVID-19 outbreak “has instigated a further programme of cyber security work”.
Elsewhere, hackers have also managed to hack into insulin pumps and wireless heart devices. The possibilities for fatalities are high, says Christopher Hadnagy, an ethical hacker who works with the FBI to halt everything from malicious hacking to child trafficking.
“Anything that runs on a computer can be shut down or caused to overheat,” he says. “You can access insulin pumps through Bluetooth from over a mile away. Bluetooth is inherently insecure, and there are heart devices that communicate through wireless technology which are proven to be vulnerable. What about if, in the future, we’re talking about hacking a defibrillating machine? A life support?”
Hospitals are ripe for ransom attacks because they have no choice but to pay
Traditionally, ransomware attackers use their tools almost like a landmine, says Tom Lysemose Hansen, founder of Promon, a malware security firm that tests security for the public good, including alerting Tesla as to how you could remotely unlock its cars by hacking its app.
“They leave ransomware buried in an unsuspecting place – an email, a web page – in the hope a victim will trigger it,” he explains. “They steal data to sell it, or lock it so you can’t use it. It’s pot luck who they get - it could lead to a $100 [£77] ransom from an ordinary citizen, or millions if it impacts a big organisation.”
However, the UHS and fatal German attacks were not random. Israel Barak, a cyber warfare expert at Cybereason, spent nine years in the Israel Defence Forces specialising in cyber defence systems. He says modern ransomware attacks on hospitals are not about stealing data, but about paralysing their hosts for maximum gain, often waiting unnoticed in the network for weeks at a time so they can maximise their stranglehold.
“When they strike, they demand six to seven sum figures in exchange not for how much data they have stolen, but for the victim’s ability to regain operational capability,” he says. “Even when companies have back-ups, it can take many days or weeks to restore. A hospital cannot spend this time restoring a back-up, and they know this.”
Jon Garside was the notification officer for ObamaCare in California from 2014 to 2015, a responsibility that covered 60 million personal records. He is now a director at Securonix, a firm that prevents hackers attacking some of the UK’s biggest government departments. It is easiest to compromise a member of staff rather than an actual system, and therefore hospitals are perfect, he says.
“In hospitals right now, you’ve got a Venn diagram of unhappiness – fatigued workers, huge workload and a mixed bag of technology. That’s why it’s so appealing to hackers – you can fire one bullet and hit a lot of targets. You only need one to land, one employee opening that dodgy email.”
Today, the potential for this could be disastrous. “If ransomware was to be successful within the World Health Organisation, or large pharmaceutical companies and testing laboratories where a vaccine was being developed, the damage is enormous,” says Garside.
Unfortunately, hospitals have become easy prey, the slowest moving buffalo in the herd when it comes to ransomware targets. “Local and state governments’ cyber insurance is often five times higher than a comparable sized enterprise, as they are trying to offset the risk by loading up the insurance,” says Israel Barak. “However, instead of protecting, that makes them a prime target for a ransomware actor.”
This has created a perfect storm for attacks, says Barak: “Instead of reducing risk, we are increasing it. We are showing ransomware attackers that state institutions are well insured and they will pay, as with Hollywood Presbyterian Hospital [which paid $17,000 (£13,200) in Bitcoin to ransomware hackers in 2016]. Even when they’ve been attacked, they purchase more insurance to pay out even larger amounts, so then the attackers are even more likely to come back.”
Hard to stop, even harder to prosecute
In 2018, the FBI identified the perpetrators of a sophisticated SamSam ransomware attack that hit over 230 entities, including hospitals and universities, extorted $6 million (£4.6 million) in ransom payments and caused an estimated $30 billion (£23 billion) in damages to the institutions.
They built a case against Iranians Faramarz Shahi Savandi and Mohammad Shah Mansouri, who they accused of running the 34-month campaign. However, because of America’s relationship with Iran, there will never be a trial.
Each ransomware attack also involves different actors hidden within the dark web. Some of them build botnets; others sell access and details of breaches; some sell tools to carry out the ransoms; then there are the secondary parties who help to launder the money and turn it into assets.
Christopher Hadnagy often chases malicious hackers across continents, IP addresses and the dark web. He finds prosecutions are usually strangled by international differences.
“We exposed a vishing [phishing by voice phone call] group based in the country of Georgia,” he says. “They were running a fake call centre, ringing addresses with fake demands for back taxes. We located the call centre, but the country aren’t going to hand over the names of these people to America. A lot of these ransomware groups will have links to Russia, China, Georgia, Iran, North Korea. None of these places will extradite.”
As with military warfare, a lot of the arms created by governments to win wars end up in the hands of bad guys. Some of the current tools used by hackers were stolen directly from the FBI, and other tools that hackers use to wage war were originally created to keep them out. For example, a tool called Metasploit is the number one device for both checking your vulnerability to an attack and launching one.
“It’s like an AK-47. You load in all the attacks you want, and it will fire them at your systems all at once,” says Garside. “That’s immensely useful if you want to test your own systems for vulnerabilities, but it’s also useful if you want to mass attack a system.”
We are entering an era of online war, where nations are running mutual phishing expeditions to test each others’ buildings and systems, while bandits freeze assets to extort ransoms without fear of arrest. The victims, however – as was the case in Germany – will often be ordinary people who need help the most.