Ransomware Rising: Steps for The Public and Private Sector to Address the Growing Threat

Last weekend, a major U.S. healthcare provider, Universal Health Services, was the victim of what may have been the largest ransomware attack in the history of the United States. The attack caused the company to shut down the U.S. portion of its enterprise information technology network, which connects over 250 hospitals, behavioral health facilities, and ambulatory care centers across the country, causing the diversion of ambulances and the postponement of surgeries. This attack comes just weeks after a patient died in Germany after a ransomware attack forced her to be moved from one hospital to another.

Ransomware is a form of malware designed to encrypt files on a victim’s computer network, rendering them inaccessible or unrecoverable until the victim pays the attacker for an encryption key. The annual cost of ransomware attacks is hard to estimate, but a recent report put it at $7.5 billion in the United States alone, and the FBI’s Internet Crime Report found there were 2,047 ransomware attacks in 2019. These figures affirmed earlier estimates by security researchers reporting triple-digit growth in the use of ransomware to extort payments from the targets’ owners. Over the past couple of years, hackers have used ransomware against the computer networks of municipal services in Atlanta, Baltimore, and other smaller cities around the country, with victims frequently unable to recover all of their files regardless of whether they paid the ransom.

In some instances, paying a ransom creates further legal trouble. The Department of the Treasury’s Office of Foreign Assets Control released an advisory notice this week warning of civil penalties for companies that facilitate ransomware payments on behalf of victims, since the payments risk violating U.S. sanctions on malicious cyber actors abroad.

Despite some high-profile ransomware attacks in years past, cybercriminals tended to focus on victims who had assets that hackers could expropriate via cybertheft, such as financial institutions and their customers, especially the elderly. Ransomware, however, “represents a major shift in the threat landscape,” Microsoft observed in its annual report. Cyberattacks are now “a very real and omnipresent danger for everyone.” Ransomware attacks exploit another vulnerability: the value of data or access to data. This type of attack can deny owners access to data they need to operate their company or service, or attackers can threaten to release data that contains protected information, such as that protected by the Health Insurance Portability and Accountability Act of 1996. This federal law instituted national standards to protect sensitive information from being disclosed without the patient’s consent or knowledge.

Ransomware has thus expanded the scope and scale of companies and municipalities that are vulnerable to cyberattacks, as most have data they need to use or are required to protect. This “monetization” of data requires a great deal more investment in effective, consistently updated cybersecurity tools and processes.

A March 2020 report by the U.S. Cyberspace Solarium Commission warned of the impending rise of cybercrime, in general, and ransomware attacks specifically, and noted the challenges these types of attacks pose to organizations with large caches of data, such as healthcare organizations, and to just-in-time or emergency services, such as hospitals. The attack on Universal Health Services, a Fortune 500 company and one of the nation’s largest healthcare networks, exemplifies the need to improve data security. The companies and municipalities that hold data that can be monetized need to assess their cybersecurity efforts and take some explicit steps.

First, ensure basic cyber hygiene is practiced by employees. Complex passwords that prevent brute-force cracking, multi-factor authentication, and effective training that prevents “phishing” attacks are all achievable and extremely effective tools.

Second, invest in appropriate security for the information technology products and systems purchased and for the managed service providers and cloud service providers utilized. Security costs money, so it is unlikely this step will involve the lowest bidder.

Third, acquire a cyber insurance policy covering disruptive cyber events such as ransomware attacks and review current data-backup and recovery plans for critical services. The two plans should work in concert to identify vulnerabilities, mitigate the exploitation of those vulnerabilities, and provide insurance payouts to cover downtime losses during breaches so that companies and municipalities can recover.

The government has some responsibilities as well.

First, improve the understanding of what tactics, techniques, and procedures uniquely threaten commercial or private sector systems. This requires prioritizing some national intelligence collection efforts to focus on specific systems and processes that are essential for the private sector, and the timely sharing of threat data with the private sector.

Second, improve collaboration between and among the federal agencies that protect our country and between the public and private sectors. Despite calls for more effective information sharing and collaboration that date back several decades, the United States is still in the nascent stages of this effort and is well behind some allies. The United Kingdom’s National Cyber Security Centre is a superb example of a joint collaborative environment that can serve as a model for Washington.

Third, establish standards for cybersecurity product labeling, the security of cloud and managed service provider products and services, and the cybersecurity insurance market.

Fourth, work to increase the capacity of federal law enforcement to investigate and track ransomware attacks and other cybercrimes that involve bitcoin and other cryptocurrencies. While federal law enforcement agencies such as the FBI and the U.S. Secret Service have some personnel capable of conducting investigations involving digital currencies, their efforts are being greatly outpaced by the increased use of cryptocurrencies and preference of criminals for it, and there is very limited expertise at the state and local levels. Investing resources to increase enforcement in the digital currencies space will allow the United States to pursue criminals in the digital age.

These seven steps are all key both to building more resilient networks that are less susceptible to ransomware attacks, and to establishing greater government capacity for cyber collaboration to prevent or mitigate attacks when they do occur. The use of ransomware is on the rise; cybercrime writ large is on the rise; and both will continue to grow until companies and municipalities take appropriate steps to secure their, and our, data from exposure and theft.

Mark Montgomery is senior director of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD), where Trevor Logan is a cyber research analyst. For more analysis from Mark, Trevor, and CCTI, please subscribe HERE. Follow Mark and Trevor on Twitter @MarkCMontgomery and @TrevorLoganFDD. Follow FDD on Twitter @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.