Imagine coming to work in the morning and opening your computer. Shortly after logging in, the screen freezes and a message appears –
Your files have been encrypted. We have locked them away and if you want them back you must pay a ransom of $2 million within 72 hours – if you pay we’ll give you the encryption key to unlock your files.
As you collect your thoughts, inform others on your team, and begin an investigation, another message comes in –
To prove to you that we are serious, we have posted some of your data, including sensitive protected health information on our website and it is now for sale to anyone who wishes to purchase it, so you need to act quickly. We will continue to publish more of your files until you pay.
Ransomware is bad enough – criminals steal your data and require payment before they’ll unlock it and give it back to you. But cyber criminals have upped their game by doubling the extortion. Instead of just locking up the data and asking for payment to give it back, they will publish a portion of it to prove they have it, and increase the pressure on you to pay.
This happened to Beacon Health Solutions, a business associate that provides business process outsourcing solutions, and integrated health benefits and claims administration solutions. The cyber thieves posted more than 600GB they claim to have stolen from Beacon Health Solutions. Double extortion ransomware also recently happened to two covered entities, Wilmington Surgical Associates and Riverside Community Care.
In all three examples the cyber thieves appear to have exfiltrated a wide range of sensitive information, including personal details, financial documents, Social Security numbers, bank documents, phone records, photos, medical records, and employee files.
Double extortion ransomware is growing because the high pressure tactic works. It became more prevalent in 2019, and has only grown this year and there have been dozens of similar attacks in recent weeks. The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have warned that these are becoming increasingly popular with nation-state cyber thieves.
One week ago, the FBI warned that ransomware attacks on hospitals and healthcare providers were an imminent threat.
Paying a Ransom is Not a Guarantee
The FBI and CISA warn that payment of ransom to a criminal is not a guarantee that your data will not be sold. You may get it back, or you may not, and even if you do, a copy may also be sold to the highest bidder. And the problem with paying ransom is that it encourages criminals to repeat the crime and strike others, or to come back and hit you again, knowing that you will pay.
Risk Management Can Prevent Ransomware
HIPAA Risk Management is a blueprint for defending against cybercrime.
The key points made by the FBI are all covered in The HIPAA E-Tool®.
- Keep operating systems, software, and applications current and up to date.
- Make sure anti-virus and anti-malware solutions are set to automatically update and run regular scans.
- Back up data regularly and double-check that those backups were completed.
- Secure your backups. Make sure they are not connected to the computers and networks they are backing up.
- Create a continuity plan in case your business or organization is the victim of a ransomware attack.
Call us if you want to up your game to fight back against cybercrime.