The Origins of Cryptoviral Extortion and Ransomware: Part IX

EDITOR’S NOTE: Edward Roche, in association with RACmonitor, is writing a series of articles on the need for U.S. healthcare facilities to protect themselves from cybercriminals demanding ransoms for patient records. This is the ninth installment in the series.

Today, we take a brief look back in history to determine: What is the origin of the ransomware that has been attacking the healthcare sector of late?

It appears that the first software designed to attack a computing system and encrypt the data was demonstrated in 1996 at an Institute of Electrical and Electronics Engineers (IEEE) security and privacy conference. The creator of the software, Mordechai Moti Yung, was at Columbia University at the time, having invented the term “cryptovirology.” Although Young went on to a distinguished career at the IBM Thomas J. Watson Research Center, RSA Laboratories, and Google, the concept rapidly gained a foothold in criminal circles.

By 1992, ransomware was being used for collecting payments in human kidnapping cases. By 2006, a number of ransomware viruses were impacting the Internet. According to the Barkly Blog, the number of ransomware attacks is increasing rapidly: A new company is hit every 40 seconds; an individual is attacked every 10 seconds.

The Kaspersky Lab reported that around 35 percent of user computers receive at least one malware-class web attack each year. In 2016, the Lab itself repelled 758,044,650 attacks that were originating from 261,774,932 different URLs (website addresses).

These hackers are almost as good as our pharmaceutical companies in creating catchy names. Malware features titles such as GPcode, Archiveus, Krotten, Cryzip, and MayArchive.

The most recent large-scale attack was carried out by WannaCry, and like most other viruses, it targeted Microsoft Windows environments. The National Health Service in the United Kingdom was particularly hard hit in May.

Best Practices – A Security Update

In the world of ransomware, there is always a race between the attacker and the software vendor that creates a software patch to defeat the malware. Once a vendor is notified of vulnerability in its software, it typically works furiously to eliminate it. A skillfully constructed system has been put in place so that as soon as these weaknesses are found, software companies are notified that security patches are available. A new release of the software is compiled, and this then is pushed out to users. This gives healthcare providers an opportunity to secure their information systems.

But security researchers know that in many cases, users fail to keep their information systems updated. This perhaps is understandable, because there are so many malware attacks that almost daily updating is required. On average, upon receiving a security patch, it takes users approximately four business days to update their systems. This is not fast enough.

The IT professionals in every healthcare facility should update their systems within 3-4 hours after any new patch is released, no matter what time of day the release is made available. Every healthcare provider should have a zero-tolerance policy for this in place.

The threat is so severe that any management team hesitant to enforce such a policy could be considered negligent.

Leaks from U.S. Intelligence

Although everything done in the world of intelligence is supposed to be secret, sadly this is not the case in the United States. Public reporting by news organizations that publish leaked classified and sensitive information has revealed that the U.S. intelligence community over the years has developed a comprehensive set of cyber tools for spying. These tools often are used to break into the information systems of adversaries. They rely upon the exploitation of vulnerabilities in information systems. These tools are powerful, and they evidently work.

Since these cyber weapons are classified, it is a felony to reveal them. Once they are revealed, however, then the intelligence community loses a portal into organizations upon whom they are spying.

A recent leak of the hacking tools from the Central Intelligence Agency has been a gift to hackers worldwide. It is clear that leaked tools developed by U.S. intelligence have been used by criminals. The recent attack of “EternalBlue” is linked to this.

But at the same time U.S. intelligence is creating these cyber-hacking tools, other organizations such as the U.S. Department of Homeland Security and the Department of Health and Human Services Cybersecurity Task Force are working hard at developing a national strategy regarding cyberattacks.

It’s interesting – on the one hand, the U.S. government is spending billions of dollars developing hacking tools. At the same time, another part of the same government is organized to coordinate rapid patching of software, thus mitigating the risks of such hacking.

In previous segments of this series, we have reviewed how healthcare providers have a very challenging task in securely managing all of their information and data. If there is a breach that leads to the release of patient health data (or any other type of data, such as financial or insurance information), then the healthcare provider faces the difficult task of notification. Both state and federal agencies must be informed, but notices also must be sent out to each of the patients who have had their data compromised.

This is perhaps the great irony of today’s cyber security world: The government is creating many of the cyber tools that at the same time it is attempting to protect itself against; and healthcare providers can be subjected to fines and penalties if they fail to respond properly to an attack by cyber weapons that their own government has created.