Russians who deployed ransomware against hospitals are charged
Photo: Scripps Health
The U.S. Department of Justice said the nine individuals named in last week's indictments used the Conti ransomware variant to attack more than 900 victims worldwide – including hospitals, healthcare providers and their patients – affecting critical infrastructure in approximately 47 states, the District of Columbia, Puerto Rico and approximately 31 foreign countries.
WHY IT MATTERS
According to the FBI, Conti ransomware was used to attack more critical infrastructure victims than any other ransomware variant in 2021.
The Southern District of California charges Maksim Galochkin, "aka Bentley," with three counts of computer hacking, alleging that he "caused the transmission of the Conti malware and impaired the medical examination, diagnosis, treatment and care of one or more individuals."
If convicted, he faces a maximum penalty of 20 years in prison. He also faces a maximum 62 years for ransomware crimes in Ohio and 25 for ones in in Tennessee.
He is charged with one count of conspiracy to violate the Computer Fraud and Abuse Act and one count of wire fraud conspiracy in Tennessee for exploiting a sheriff’s department, police department and local emergency medical services.
Galochkin is one of nine defendants the Northern District of Ohio alleges developed, deployed, managed and profited from the malware known as Trickbot, which Conti is an offshoot of. The charges are one count of conspiracy to violate the Computer Fraud and Abuse Act, one count of wire fraud conspiracy, one count of conspiracy to launder the proceeds of the scheme and an enhancement for falsely registering domains.
"The conspirators who developed and deployed Conti ransomware victimized businesses, governments and non-profits around the world," said Henry Leventis, U.S. Attorney for the Middle District of Tennessee, in an announcement Thursday from the U.S. Department of Justice.
The Tennessee indictment calls Galochkin a "crypter" for Conti, saying that he allegedly modified the ransomware so that it would not be detected by antivirus programs.
Two weeks ago Wired published a Trickbot expose looking at research into the Conti ransomware gang based on a March 2022 Twitter leak from an account known as Trickleaks of alleged online chat logs taken from roughly 35 members. That dump published 250,000 internal Trickbot messages and intelligence dossiers with 2,500 IP addresses, 500 cryptocurrency wallets, thousands of domains and email addresses, names and photos, social media accounts, passport numbers, phone numbers, towns and cities of residence and other personal details, exposing those in the operations.
Galochkin's alleged handle Bentley had an account with the now defunct Hydra Russian-language dark-web marketplace and made multiple deposits that were "likely to buy tools for hacking," according to Jackie Burns Koven, head of cyber threat intelligence at the firm Chainalysis, who spoke to the publication.
She said tracing Bentley’s digital transactions details interactions and collaborations with other Trickbot and Conti members.
Conti appears to have run like a software company, with Galochkin acting essentially as a lead malware product developer overseeing deliverables and an estimated 20 or more direct reports that may have done the actual "crypting."
Javed Ali, associate professor at the Ford School of Public Policy at the University of Michigan and the former senior director for counterterrorism at the FBI's National Security Council, reportedly told ABC News Friday that it is unlikely the Conti-indicted Russian nationals will ever be brought to justice.
But the official charges show how the U.S. continues to use its law enforcement investigations and criminal prosecutions as a policy tool, he said, according to the report.
Such sanctions limit accused cybercriminals' ability to travel outside of Russia, while potentially cutting their access to financial institutions in the United States, United Kingdom and the globe, Will Lyne, head of cyber intelligence at the UK’s National Crime Agency, told Wired.
The DOJ's announcement could also dull the shine of those accused in the crime world.
"We know that ransomware actors value their anonymity, so exposing their identities via sanctions designations affects their reputation and relationships within the cybercriminal ecosystem," Lyne added.
Publicly, Galochkin is affiliated with four Russian businesses where he served as a founder or company director, including one that allegedly provided digital transformation services to local governments in Russia, according to the researchers.
The FBI San Diego office, with support from the Memphis and El Paso field offices and the US Secret Service, is leading the Conti ransomware investigation, while the Middle District of Tennessee and Southern District of California are leading the prosecution.
The FBI Cleveland Field Office is leading the investigation into Trickbot malware, while the Northern District of Ohio leads the prosecution.
The Justice Department’s National Security Division provided assistance in both the Conti ransomware and Trickbot malware investigations, the DOJ said, noting that Trickbot malware developers Alla Witte and Vladimir Dunaev were previously indicted and apprehended.
THE LARGER TREND
The Scripps Health attack by Conti ransomware affected the medical care of 150,000 patients at one neighboring health system unaffected by the attack, according to a JAMA Network study in May, which evaluated patient records from an emergency department that handled Scripps' patient diversions after the attack shut down operations.
That attack and any ransomware attack could shut down hospital operations for an average four weeks or more, and severs access to vital patient information.
John Riggi, national advisor for cybersecurity and risk for the American Hospital Association, advises emergency-management planning – both locally and regionally – and leveraging resources like mutual aid agreements so that patient care for those affected by ransomware attacks is maintained.
"Business continuity is not the same as clinical continuity, and we need to be prepared to carry on operations for up to four weeks," he told a packed room at his keynote address at the start of the HIMSS Cybersecurity Forum last week in Boston.
Dr. Christian Dameff, medical director of cybersecurity for the University of California San Diego and author of the "Ransomware Attack Associated With Disruptions at Adjacent Emergency Departments in the U.S." study, shared best practices for bringing all healthcare employees to the table to talk about how their daily cyber hygiene practices can ultimately protect care quality.
Employee outreach to address phishing emails – an example he kept returning to in a discussion about building a security-focused culture – requires "pruning, active engagement," he told forum attendees.
"Developing that type of cultural drive requires attention to detail and mixing messages, different types of medium, connecting people where they're at and in the languages that they speak," he advised.
ON THE RECORD
"The indictment alleges a callous disregard for the medical care and the personal information of residents of the Southern District of California," said Acting U.S. Attorney Andrew Haden for the district in the DOJ statement.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.