You might not be aware, but ransomware no longer is operating as it always has. Sometimes it's not the usual automated sweeps of malware that can be more easily recognized and stopped.

Instead, there now are targeted, human-driven operations where cybercriminals function in a similar way to legitimate software-as-a-service companies. These groups are sophisticated, methodical and unpredictable. This kind of attack is called RansomOps.

To help healthcare chief information security officers (CISOs), chief information officers (CIOs) and other security leaders get a handle on these new types of attacks, Healthcare IT News interviewed RansomOps expert Chris Fisher, director of security engineering at cybersecurity firm Vectra APJ. 

Fisher describes what RansomOps is, the damage it can do, steps that can protect against it, and how to explain the danger to the rest of the C-suite and the board.

Q. Healthcare CIOs and CISOs all know what ransomware is. What is RansomOps and how does it work?

A. Ransomware has evolved from simple malware, which was targeted at individuals with small payments, to a very organized service model that's reminiscent of the modern-day software businesses.

RansomOps speaks to the move away from traditional malware, which is delivered in a much more predictable and automated manner, to what can be described as ransom-as-a-service. In this case, core operators, such as BlackMatter, Conti or REvil, provide the tools and the payment collections services with affiliates that will do the targeting and compromise the network.

It's crucial to note that this model is driven by human attackers and isn't scripted malware as it once was, as evidenced by the Conti attacker playbook that was leaked. This means humans are using attacker tools to move laterally within an environment, specifically avoiding modern security tools to increase their chances of success.

This approach also renders traditional signature-based tools ineffective as the attackers can think on their feet and pivot throughout networks in different ways. These attacks also are much quicker than traditional ransomware attacks.

We have seen RansomOps affiliates move through networks at great speed, with ranges of 8-30 days from initial compromise to encrypting a business. Another difference is that these RansomOps attacks move beyond regular ransom to extortion, with the attackers threatening to leak business data if the ransom is not paid.

The pandemic has led to the huge adoption of the cloud, and alongside this, we've seen RansomOp affiliates looking at new ways of targeting via public cloud platforms such as AWS (Amazon Web Service) and Azure. This provides attackers an opportunity to move from initial access to ransom at even faster rates than the already quick 8-30 days. In fact, these attacks can be completed within a day.

Q. What kind of damage can ransomware ops do to a healthcare provider organization?

A. We have seen the impact of ransomware in all verticals; however, the impact when it comes to healthcare has been significant. In the U.S., for instance, the Universal Health Services incident resulted in more than 400 healthcare providers being unable to access electronic records and numerous hospitals and medical facilities severely impacted.

In New Zealand, the Waikato Health District incident, which impacted 680 computer services, led to worrying delays in patient care and COVID-19 testing results, and critically ill patients having to be transferred to other hospitals.

We've also witnessed the very unfortunate events in Germany, where a patient lost their life in a Dusseldorf hospital due to ransomware. In the first half of 2020, a total of 22% of all Australian data breaches were in the health sector, according to government data.

When the ICT systems of Eastern Health in Melbourne were attacked by hackers, the incident resulted in significant disruption, including the cancellation of elective surgeries and huge stress on staff and patients.

The impacts of ransomware to critical infrastructure are real and can have devastating long-term effects. I believe this is one of the top drivers to legislation around the world stepping up protection for critical infrastructure. 

This legislation highlights that governments are looking to take a more proactive response from law enforcement on these criminals to minimize the fallout of these attacks and ensure patients get the care they need while staff have access to the services and tools of their trade.

Q. What steps can health CIOs and CISOs take to protect their organizations against RansomOps?

A. With all things in cybersecurity, there is no silver bullet. However, as a starting point, organizations need to have a strong cyber-resiliency policy.

To achieve this, there needs to be a mindset shift from "if" we get compromised to "when" we get compromised. Once this mindset shift has occurred, then the policy needs to consider people, processes and technology, ensuring security teams have clear visibility of all assets on the network, including cloud and data center infrastructure.

This visibility is key to mapping out the attack surfaces that the organization is exposed to and will help guide process, technology choice and people required to secure your organization.

Organizations also must invest in training all of their staff on cybersecurity, not just once but continuously to make sure they're ready for when they see that phishing email come into their mailbox.

Practicing how the organization will respond to a ransomware incident through tabletop exercises with all senior staff and board members is an effective method. This will outline the responsibilities that the business has to securing itself for when these incidents occur and ultimately speed up response times in an actual event.

From here, a strong security architecture is required. Organizations need to have the ability to monitor across the cloud, data center, internet of things devices and enterprise networks, as well as having the ability to carry out real-time attacker detection and prioritizing detected threats.

This requires organizations to automate security analyst work and provide visibility inside the network. This may look like security teams augmenting with AI-derived machine learning models, as advanced technologies can more effectively function at a speed and scale beyond traditional methods.

Overall, organizations need to establish a company culture that understands risk and then implement mitigating technology controls backed by procedures on how to identify, respond and recover from cyber incidents such as RansomOps.

Q. How do CIOs and CISOs talk to the rest of the C-suite and the board about the threat of RansomOps?

A. This is where we have seen huge progress in the last few years, as ransomware has become a board-level topic.

I believe that like all cybersecurity reporting, we need to have an approach that provides solid metrics at a business level, not a technical level. I have seen all too often that we tend to report technical metrics that the board doesn't understand or are not relevant to broader business objectives – when in fact, these issues do have a significant and negative impact.

On this note, the statistics and stories that are making headlines speak volumes. There's no denying that these attackers are becoming better at infiltrating and taking down businesses and operations from the inside, and this is only extending as organizations adopt cloud services.

For instance, according to an annual report on global cybersecurity, there were a total of 304 million ransomware attacks worldwide in 2020, marking a 62% increase from a year prior and the second-highest figure since 2016.

Not only that, but numerous reports cite those attacks are rising in cost, frequently reaching the $1 million mark. The C-suite and board must be included in the conversation as costs increase to huge rates and security measures require companywide buy-in.

We need to ensure that boards are aware of the risks posed by RansomOps and what the potential impacts are to the business. Again, tabletop exercises with the board go a long way to communicate the real impacts ransomware has on the business and the responsibilities that people have with these incidents.

We need to emphasize that these attacks have become much more sophisticated, and as a result, it's no longer enough to invest in tools but to develop internal knowledge and company culture and establish robust governance frameworks. It's true that this is no longer a technology conversation but a business-wide conversation.

Twitter: @SiwickiHealthIT
Email the writer: bsiwicki@himss.org
Healthcare IT News is a HIMSS Media publication.