As a result, staff have turned to paper charts, emergency rooms are diverting patients and elective procedures are being cancelled. Ascension has notified law enforcement, including the FBI, but the system's response to the attack continues.
The ransomware dance is complex. Negotiators stall, working around the clock to determine how the hackers got in, what information they have and whether the entire debacle can be remedied from the inside. Meanwhile, the cybercriminals are impatiently waiting for their cryptocurrency ransom, hurling threats of what can be done with the stolen data.
Crain’s interviewed Scott Wrobel, principal of N1 Discovery, on the details of cyberattacks and the behind the scenes on what happens during a ransomware attack.
Sign up for the Digital Health Intelligence newsletter and keep up with one of the industry’s fastest-growing sectors.
How busy are you due to ransomware?
Our cybersecurity division has at least four to five ongoing cyber responses that we’re managing at any given time.
Why do healthcare companies get hit so much?
Easier payday. These are organizations that just have massive systems that have been around for a long time. They’ve been migrated and upgraded so many times, it becomes a business and financial challenge to keep everything secure. There is no way around it. It costs a lot of money to keep everything secure. It takes a lot of money for a company like Ascension to plug all the holes. I don’t know what vulnerabilities they had, but I do know their systems are complicated. Most healthcare companies have multiple systems that have been around and migrated and legacy systems that aren’t upgraded. Their IT staff are overwhelmed because there is just so much to do. Constantly upgrading is a logistical nightmare. If something is out of date, then you become worried by patching with a new update, it will break something else.
How is ransomware discovered? And what happens next?
Typically, once the company is hit the ransom will come with a note. Often their data is encrypted by the threat actors and they can’t access it. The note identifies the threat actors and gives them a website on the dark web or an email to contact them. Sometimes it’s a Proton email account (a Swiss account that is encrypted that does not comply with government data requests). We make first contact, handling the negotiations and discussions with the threat actors while also assisting the company to get back online. We’re basically just asking them what they are looking for. They usually give a number of Bitcoins or an exact dollar amount. If the value is high, they’ll just give the number of Bitcoins they want. If it’s low, they’ll say they want $1 million in Bitcoins. While we’re negotiating, the company and my forensics team will try to understand how it happened and we try to preserve as much as we can so we don’t destroy evidence. It’s all part of the process; preservation, investigation, negotiation and remediation.
Not a Modern Healthcare subscriber? Sign up today.
What do they usually do when they infiltrate a system?
They are betting on two things — that they’ve shut down the systems so badly the company would have to pay the ransom and that they have data they will post on the dark web that is valuable enough for the company to pay.
Do the threat actors just make the ransom demand and hold tight?
After they give the amount they want, they put us on a timer. Like, they may say we have seven days to pay or they will publish the company name on the dark web, telling others the company was hit and vulnerable. Sometimes it’s just the reputational hit is enough to sway the conversation. Then the counter starts and if the ransom isn’t paid, they will release the information on the dark web for purchase.
How do they determine how much the ransom is?
One of the tactics they use when they get into a system, besides the normal things you’ve heard, is look for and search for insurance policies. They’ll always research the companies. They know whether you can pay or not. A five person company? They are not going to say a $2 million ransom. A midsize or big company, a $500 million to a $1 billion company? They are going to raise the amount, especially if they found the insurance policy and how much is covered. Once they find it, they’ll show you they have it to prevent you from saying you can’t afford it.