Life and Death: The Reality and Consequences of Making Ransomware Payments Illegal

 

 

Part 2 of Ransomware Payments: Illegal or Not

October 17, 2020

Chris Ruggieri

       On September 3, 2020, I published an article condemning the idea that paying the ransom for ransomware attacks being made illegal.  Given the events of the past month, I felt that a “Part 2” of that article is warranted.  So, here we are again, unfortunately having to flog what should be a dead horse.  The main points I’m going to cover here are the Universal Health Services ransomware attack, the patient being turned away from a Duesseldorf Hospital because that hospital was under ransomware attack (which delayed treatment and resulted in the patient’s death), the St. Clair County government being hit by ransomware, the Treasury Department directive that they will fine organizations that pay the ransom, and lastly the secondary ransomware problem (I’ll explain that one later).

      

       Let’s start with the Duesseldorf case.  The Duesseldorf University Hospital was attacked by ransomware on September 10, 2020.  It resulted in a patient in a life-threatening situation being forced to re-direct to a different hospital in Wuppertal, 20 miles away.  The redirect caused an hour-long delay in the patient getting treatment and the woman passed away as a result of the delay.  This was all reported in numerous outlets Thursday September 17, 2020.  For a full week, their systems were affected.  It all stemmed from a misdirected attack.  The attackers were aiming and thinking it was a university and not a university hospital.  In my opinion, it doesn’t matter.  Literally, I DO NOT CARE if it was misdirected.  The authorities are on the trail for the perpetrators and on September 21, 2020 they reported they plan to charge them with negligent homicide once they are identified and located.  Now, here’s where the “should not be illegal” part comes in.  Now, this was a weird situation because there was no clear ransom demand, but for the sake of the argument, let’s say there was.  In a Life or Death situation, should the ransom be paid?  Let me break that apart a little bit.  Risk analyzers and Cyber professionals all say that ransomware is a math problem.  It’s a numbers game.  So, and going back to the question of would you pay the ransom, is the amount of the ransom worth more than a human life? Now the infection happened on a Thursday and the woman showed up for treatment on Friday.  That’s 24 hours.  In that 24 hours, SOMETHING could have been worked out and that woman would/could still be alive. 

          

       Next in the timeline, is the Universal Health Systems ransomware attack.  They were hit September 27, 2020.  UHS is a Fortune 500 healthcare provider with over 400 hospitals across the US and UK.  The attack occurred in the wee hours of the morning (2:00 AM CT) on the 27th and used a variant of the Ryuk ransomware.  Now on this attack, no one died (Thank every God or Goddess ever to exist), but the issue is that they COULD have.  A massive healthcare provider with all of the rules and regulations they have to follow, I’m sure had all of the preventative and detection capabilities installed.  I wanted to highlight this strictly to show, that you can do everything right and still get hit with ransomware.

          

       Next up in the timeline of insanity (you have to admit, this has been a crazy 30-40 days), is the St. Clair County Alabama ransomware attack.  Now, before we go into a whole lot of details, let me say a few things about St. Clair County Alabama.  St. Clair has TWO county seats.  There is the “main” County Administration building and Annex in Pell City, AL and another Administration and Annex building in Ashville, AL.  It appears that around 7:00 PM CST on September 21, 2020 that the St. Clair County government was attacked by ransomware.  They are releasing very few details at this time, but I do know that no data was exfiltrated, and in fact is so tiny that the only article I could find on it was from September 22, 2020 from ABC 33/40 found here.  So, again, not a lot of details, but rumor, allow me to say again, RUMOR is that they paid the ransom.  This would not surprise me given that all of the St. Clair County government buildings as well as the St. Clair County School System are all utilizing the same three, count them three, IT professionals, unless that has changed from 2016.  This situation is eerily familiar to an attack on the School System located in Houston County, Dothan, Alabama in July of 2019.  The incident for that one can be found here. I know several of the people that helped clean up that mess and while the officials “can’t” (read won’t) confirm it was ransomware, a presentation from one of the forensic analysists in December of 2019 confirmed that it was a Trickbot infection.  Now, Houston County School System had all the check boxes and truthfully did pretty much (most) everything right.  Their servers were back up VERY quickly.  The problem came in when it came time to deal with the 4,200 endpoints (desktops, laptops, etc.) that had to re-imaged.  They also had a VERY small IT team (I believe it was two at the time).  School openings were delayed for, I believe 2-3 weeks.  Several non-profit and Cyber teams, including Infragard (which I have been an active member with for 3 years, and even on the Board for a year, and who take a VERY different viewpoint from what I am displaying here.  Speaking of which, it’s time for the obligatory, all of the viewpoints and comments contained in ANY of my articles are solely my opinion and not tied to any of the organizations to which I am affiliated with, including, but not limited to, Hibbett Sports, Inc., Birmingham Infragard Members Alliance, the Central Alabama Chapter of the Information Systems and Security Association, and the Birmingham Hackers Users Group.  Anyways back to the matter at hand.); several of these non-profit and Cyber organizations sent volunteers to Houston County to assist in the clean-up and reimaging of those endpoints.  I wanted to mention this for a reason that I will explain in a LOT more detail later on.  So, St. Clair and Houston County share a lot of similarities, only Houston County did not pay the ransom where St. Clair did. 

          

       Up next on this rollercoaster is the Treasury Department’s new directive that they “could” fine organizations that pay the ransom.  This has been the “hot topic” of discussion over the past several weeks in the Cyber field, and I see both sides of the argument, trust me I do.  You can find articles on it from CIO Dive, Krebs on Security, and Ars Technica, as well as several more, I’m sure.  The irony, is that the CIO Dive article even states in its opening line, “The decision to pay a ransom, often framed as a basic math problem, just became more legally complex.”  That statement helps prove my earlier statement and question about Risk Analyzers say Ransomware is a numbers game, and “What is a Human life worth?” when asking whether the ransom should/could be paid.  Unfortunately, it appears the author of the original Dark Reading article from Pt. 1 of this topic, Mr. Flemming Shi, CTO of Barracuda Networks, is starting to get his way.  I still believe, from the bottom of my heart, that this will only end in disaster for the US Economy and the US Government in general.  Only now, my opinion has shifted just a hair.  Instead of making the payments 100%, can’t do it, illegal, the government, in true government style and fashion, want’s their cut.  It’s a money grab for them and for that I say, “For SHAME”.  I want to take the people in the Treasury’s Office of Foreign Assets Control responsible for this debacle, and force them to walk naked to the Hill all the while being followed by a crazy nun ringing a bell, shouting “SHAME……SHAME” (for those that haven’t seen Game of Thrones……..Spoiler Alert XD).  The Treasury Department would rather a company spend much, much more on data recovery services (remember the Baltimore example from Pt 1 of this topic?) which they would then be able to claim as a loss, on top of paying the fine, which they can also claim as a loss, and therefore just lowered the taxes these organizations will have to pay.  Anybody else find that a little counter-intuitive/counter-productive to what the Treasury is supposed to be doing?  Again, it’s a knee-jerk regulatory hamstring from people who still think IT is some kind of dark magic with clue how it actually works.

          

       Last up on the agenda of the craziness from the past month, is that now we are seeing “double ransom” or “secondary ransom”, whichever you want to call it where the data has been exfiltrated to some cloud bucket.  The attackers are asking one ransom to get your on-prem data back and yet another to make sure the cloud bucket doesn’t go public.  This one is a little trickier.  We are seeing it more in Healthcare than in other verticals.  With the data already being exfiltrated, you’re already on the hook for the HIPAA fines, but do you pay the second ransom, even if you were able to recover from the initial on-prem without paying said ransom.  Here’s where it actually does go back to the numbers game.  The HIPAA fines are already going to be steep.  The question is will adding the secondary ransom, and the Treasury fine now associated with paying the ransom, be worth your customer’s privacy.  On this one, I actually say no.  The HIPAA fines won’t change based on the data going public or not, but now you’re adding another ransom and a Treasury fine.  You’re going to have to notify your customers of the attack either way, so your brand is already going to take a hit. Also, all 50 States now have a Data Breach Notification law that will add to that brand hit.  So, what is the incentive to pay the secondary ransom and accompanying fine.  Long story short, you’re screwed 6 ways from Sunday.  It’s not worth it to pay the secondary ransom and the accompanying Treasury fine. 

          

       Now, let’s wrap this puppy up, with the real-world ramifications of these events.  The attackers are targeting healthcare more than ever, as is evident by the Duesseldorf and UHS breaches.  Municipalities, especially in smaller more rural areas, are getting hit more and more, which I do partially blame on the fact that municipalities don’t invest in the requisite technology (both from an actual tech and a personnel perspective) leaving them more vulnerable.  Government is not seeking advice from ACTUAL tech people that have been fighting these threats for decades and are therefore passing regulations with disastrous long-term consequences.  Ransomware gangs and attackers are wising up to the whole “we’ll just restore from backup” defense and creating an entirely new secondary market.  Last but not least, we need to remember that these Treasury regulations are solely punishing THE VICTIM.  Now, if the company is negligent (I’m looking at you Equifax and STRUTS) that’s one thing.  If the organization simply doesn’t have the budget (i.e. smaller municipalities with lower tax revenue), that’s an entirely different thing, but it all still seems like we are punishing the victim instead of putting pressure on these overseas governments to allow for extradition for computer-related crimes.  I shouldn’t have to apologize for this, but I’m going to anyway.  I’m sorry.  I cannot and will not get behind an idea of punishing ANY victim.  Another thing this will do is convince companies to “screw the data breach notification laws” and just stop reporting it when they pay the ransom.  If the government doesn’t know, it can’t penalize them.  Again, I do not advocate paying the ransom unless there is no other choice.  In Healthcare, minutes can mean the difference between life and death.  In the Municipal sector, the same is true.  Ransomware against an E-911 system and suddenly, you’re back in that life or death situation.  We still shouldn’t be punishing the victim.  Do we punish a rape victim because they wore certain clothing?  No!  We go after the perpetrators of the attack.  Hence, we need a world-wide agreement for extradition for computer-related crimes, or something to that effect.  Obviously, with Nation State Actors being in play, that agreement will never happen.  It doesn’t warrant:

 

  • Punishing the victim
  • Handing a digital nuke to our enemies
  • Regulations that have stupidly disastrous consequences for the country’s economy and national security

 

       So, to the Treasury Department, I still say “For Shame” and get your own house (as in government in general) in order before you start looking to punish other organizations or have you already forgotten about the OPM breach in 2015.  I’m starting to hear that crazed nun, with her bell, shouting “Shame!”

 

       I mentioned earlier (during the St. Clair County attack section) about non-profits and Cyber organizations working together with these municipalities and other government agencies.  It’s time for that “more detail” that I promised earlier.  If it had not been for those volunteers from a University in the area, a Cyber Firm (which happens to employ one of the best Forensics individuals that I have ever seen in my 25 year career), a raw-materials organization, retail, banking, and pretty much every other vertical you can think of, going down to Houston County Alabama, that incident would have been 100 times worse than it was.  So, my question, nay CHALLENGE, to the Cyber Security world, is to offer that help BEFORE there’s an incident?  I would be willing to provide pen-test and environmental assessments at cost (if any) to these municipalities and smaller county governments.  Why, as an industry, are we not trying to help, especially public sector, organizations out of the position between the rock and the hard place?  I think the answer to that question is the inherent, and warranted, dislike and distrust of all things government, not to mention the 100 year track record of government wasteful spending (remember the $1,000 toilet seat rumors?).  How do we get over/around that?  That’s a question I leave for you to decide.