Ransomware Death Paints an Ugly Future for Cyber Crossfire Liability
 

The first known death from a cyberattack has been widely reported after a hospital in Düsseldorf was forced to turn away emergency patients after being struck by DoppelPaymer ransomware. German authorities have opened a ‘negligent homicide’ investigation as a woman in a life-threatening condition was sent to a hospital 20 miles away and died from treatment delays.

Germany’s Federal Office for Information explained that the incident saw malicious actors successfully exploiting Citrix VPN vulnerability CVE-2019-19781, for which a patch was released in January 2020.

The DoppelPaymer ransomware was identified in a follow-up announcement by the Ministry of North Rhine-Westphalia, stating the ransomware's loader had been hidden on the hospital's network since December 2019. This is the same ransomware strain that took the UK’s Newcastle University systems offline in August.

Rather than add yet more verbiage on the novelty of such a tragedy, the grim reality is that this has very likely been happening around the world – directly and indirectly for some time. It’s just difficult in any one complex system to draw a direct line of causality.

Ransomware’s rise

Predicted for years, WannaCry was supposed to be the wakeup call we all needed. I remember speaking to one of our NHS customers about the ongoing efforts they were making back in 2018 in its wake. But while considerable progress has been made in the UK to update NHS IT systems since, has much of the world still sleepwalked into another physical danger they could have been more prepared for?

It seems they have. Policing, healthcare and other elements of critical national infrastructure have consistently faced serious disruption from the ransomware threat. For example, multiple cities in the U.S. have fallen victim to attacks over the past couple of years and incurred huge data and money losses in ransom demands.

Through the end of 2019, Recorded Future had catalogued 134 publicly reported ransomware attacks against healthcare providers, 38 of which occurred in 2019. Comparatively, by May 2020, they had seen 26 ransomware incidents for the year alone. Mimecast’s own State of Email Security research found that 55% of German and 47% of U.S. organizations had suffered some kind of ransomware incident in the last 12 months, with an average of three days of downtime for each.

It’s clear that healthcare organizations around the world face particular challenges of coordinating care between multiple parties while protecting the personal health information of patients – complicated by huge scale, budget restraint and politics. This also translates into the resulting record-breaking cost of security breaches. The 2020 Cost of a Data Breach Report (Ponemon/IBM) showed that healthcare companies continued to incur the highest average breach costs at $7.13 million — an increase of more than 10% compared to the 2019 study.

Cybercriminals consider healthcare data records to be prized assets. They can use stolen data to create fake IDs to buy medical equipment or drugs that they can resell as well as submitting fraudulent claims. This type of identity theft is rarely immediately apparent compared to credit card fraud. Despite this, ransomware still offers up a faster payday option for attackers. Encrypting valuable data or threatening to publish potentially embarrassing personal information, presents a strong incentive to pay the ransom quickly.

Insurance is not resilience

Despite FBI advisories warning organizations of the serious risks to consider before paying ransoms, cyber insurers have advised victims otherwise, calculating that the payments are still cheaper than the cost to clean up and recover data. The Ponemon/IBM report also revealed that 10% of breached organizations used cyber insurance claims to cover the cost of ransomware or extortion.

Individual organizations often make a perceived pragmatic decision to pay to protect shareholders, employees, and customers – further supporting the market for this criminal business model. The unluckiest get stung twice when they pay the ransom only to never receive the decryption key or blackmailed again with stolen data.

Compassionate crime

In an unusual twist, this recent attacker in Germany turned over the encryption key to unlock the data after the police informed them that the hospital had been impacted, rather the presumed target of the university.

This turn of conscience is unfortunately rare, and in this case, was still too late to save a life. The everyday threat from indiscriminate cybercrime will continue to target everyone – or worse, no-one in particular. Comparisons can be made with landmines in conventional warfare. While the UN calls for a digital ceasefire during the pandemic, cyber weapons forged by nation-states still end up further arming high-tech criminals. WannaCry famously used the EternalBlue alleged-NSA exploit leaked by the mysterious Shadow Brokers.

Although law enforcement is already focused on ransomware operators, a growth in attacks that kill will only amplify criminals' risk of indictments and arrests. Outside of feelings of personal guilt when a virtual crime suddenly feels all too real, it’s in the cybercriminals’ interests to keep the ransomware industry bubbling along without increased government intervention.

Cyber resilience response

Liability is likely to help accelerate change as organizations take a broader range of cybersecurity risks, including lack of access to critical systems and data, to their worst-case scenarios. Governments also may enact further regulation specifically to ensure security, backup and continuity protections are sufficiently in place.

Traditionally regulation has focused on security rather than the broader cyber resilience imperative. Organizations more than ever need to realize that cybersecurity and cyber resilience are not the same thing. Security focuses purely on protection, while resilience is about assuring the ability to recover swiftly and continue with business as usual. Cyber resilience includes measures of prevention and also seeks to avoid data loss and downtime – the perfect antidote for the ransomware plague.