Ransomware is big business and highly profitable. Don’t fall prey to the criminal thieves’ tricks to extract more money.
Criminal cyber thieves hold the upper hand when they steal and encrypt valuable protected health information (PHI) files. A healthcare organization unable to access its own records is usually desperate to unlock the encryption to continue operations; they also want to keep PHI private and secure. So ransomware thieves have gotten creative and offer an array of options for organizations eager to fix the problems. It’s Marketing 101, with a bundle of offers for increasing protection.
- Pay a basic ransom for a decryptor, and you’ll be able to unlock the encrypted data.
- Pay more, and your name gets deleted from the list of victims on a ransomware group’s data-leak site.
- Pay even more and the attacker promises to delete whatever data they’ve stolen or already leaked.
The problem is, none of these options are what they seem.
Federal Cybersecurity Experts Warn Against Paying Ransom
Cybersecurity experts warn that the criminal hacker has no intention of keeping promises.
The Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the U.S. Department of Health and Human Services (HHS) all warn against paying even the basic first ransom request to thieves because it encourages them to attack again.
From a joint cybersecurity advisory:
“Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered. However, the FBI, CISA, and HHS understand that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.”
Note the advisory acknowledges that businesses will need to “evaluate all options”. Whether ransom is paid or not, the advisory requests that all ransomware incidents be reported to the FBI.
Escalating Demands Contain Empty Promises
The first payment demand is usually for the decryption key, which is supposed to unlock the data giving access back to the healthcare organization. Additional demands for “added protections” contain no real protection. An offer to delete data (which may have been exfiltrated to a Dark Web site) is probably meaningless, because it may have already been copied, or transmitted elsewhere. An offer to delete the targeted organization’s name from the ransomware group’s website is impossible to verify and doesn’t mitigate the damage already done.
BlackBaud, a HIPAA business associate that provides cloud-based marketing, fundraising and customer relationship management software for charities, universities, and healthcare organizations paid its ransomware attackers for data deletion after a ransomware attack in 2020. About three months after the attack Blackbaud reported:
“Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed.”
A class action lawsuit was filed against Blackbaud in August, 2020, and the complaint criticizes Blackbaud for paying the ransomware group and using the payment to defend itself.
Use the HIPAA Security Rule to Prevent Ransomware Attacks
A better tactic is to prepare in advance by backing up data every day, offsite, unconnected to your network. Then if the data is encrypted and exfiltrated, at least your operations can continue and you won’t need to pay to get it back.
You still have the threat of PHI exposure, of its sale to and use by the attacker, or someone who purchases it from them.
Conduct a HIPAA Risk Analysis, use a Security Rule Checklist, and train the staff to recognize and fight back against phishing. Prevention through Risk Management, following the Security Rule’s requirements, is much less expensive and a longer lasting defense against ransomware nightmares and exorbitant demands.