I recently came across an article stating that ransomware attacks targeting healthcare organizations surged following the Change Healthcare incident. For a quick recap, the Change Healthcare attack crippled the filling of prescriptions and other healthcare operations across the country, causing devastating damages both financially ($1B a day in losses for providers) and to the individual health of thousands of patients who found themselves unable to refill essential medications.
In the end, Change Healthcare (a division within United Healthcare’s Optum group) paid out $22 Million (USD) to AlphV.
On March 1, a Bitcoin address connected to AlphV received 350 bitcoins in a single transaction, or close to $22 million based on exchange rates at the time. -Andy Greenberg (Wired)
A payout of that size represents a huge reward for threat-actors and, as can be expected, has seemingly caused an uptick in attacks on healthcare organizations. The article notes that, in April, Recorded Future tracked 44 incidents of healthcare ransomware involving data theft and detonation of an encrypting payload. That’s compared to 30 incidents in March, representing the second biggest month-over-month jump they’ve ever tracked.
Allan Liska, a threat intelligence analyst at Recorded Future, notes that he can’t be certain for the reasoning behind the spike, it’s unlikely to be a coincidence (and I’m inclined to agree).
Moral of the Story: STOP Paying Ransoms!
To get the the point here, we need to stop paying ransoms out to threat-actors. Human-nature encourages us to chase rewards, and large sums of money greatly exaggerate this nature. Threat-actors in this space are primarily or exclusively financially motivated. When they see a group rake in a $22 million payout, it’s going to turn their attention.
The truth of the matter is, if these attacks stopped being financially beneficial to threat-actors, the attacks would stop. If there’s no reward, there’s no point in taking the risk in the first place. Ergo, we need to stop paying ransoms.
The Legal Approach
I’m not a lawyer or lawmaker. However, I would fully support a law that completely forbids the payout of ransoms to ransomware threat-actors. A law with teeth that can expose civil and criminal penalties to those that do send ransomware payments.
Why? Not because I want to re-victimize victims, but because we need to choke off the flow of money to threat-actors. Passing a law would create a period of immense pain. But, assuming we’re able to enforce that law, it would eventually choke out the ransomware industry in our economy. It would make the reward for these threat-actors all but non-existent.
There isn’t a technology solution to ransomware. There just isn’t. There isn’t a tool or technique that will prevent or interrupt 100% of attacks, it’s wholly unreasonable to assume we’ll ever get there. But if we can choke out the financial benefit, we can really make a dent in the ransomware economy.
In Conclusion
To wrap this up, even without evidence, it’s pretty obvious that a massively successful attack on a given industry will motivate follow-on attacks towards that industry. The financial motivation is just too powerful for it not to, and these threat-actors are concerned with money, not feelings or your health.
If you pay a ransom, you are further motivating the threat-actors to punch the nest person in the face too, and perpetuating a pattern that is absolutely decimating not only businesses, but even our own healthcare, critical infrastructure, and so on.
