On March 18, the operators of Maze ransomware posted a “press release” announcing that they would stop “all activity versus all kinds of medical organizations until the stabilization” of the coronavirus situation. The ringleaders of the DoppelPaymer and CLOP ransomware programs made similar promises, even saying they hadn’t targeted hospitals beforehand.
It was a surreal moment for me, given how much hospitals and health care organizations have suffered at the hands of ransomware operators over the course of the past several years. As recently as February, Maze, for instance, was threatening to release stolen health care information if a clinic network in Texas refused to pay extortion demands. Ransomware attacks have affected more than 1,000 health care organizations in the United States alone since 2016, with costs totaling more than $157 million, according to a recent analysis. And that doesn’t even include the massive WannaCry ransomware attack on the U.K.’s National Health Service in 2017.
Some cybercriminals may be sincere about scaling back their illegal activities right now. But there’s reason to believe those promises aren’t worth much—these organizations have shown few qualms about interfering with life-saving medical care in the past. And even if there are a few more ethical criminals out there, certainly plenty of cybercrime operations are ramping up as more and more professional activity is forced online by social distancing measures, and hospitals are increasingly desperate to keep their systems up and running.
In response to coronavirus-related cybercrime, a number of ad hoc, informal volunteer networks of cybersecurity first responders have sprung up to help health care organizations deal with online threats during this crisis. For instance, Cyber Volunteers 19, or CV19, is facilitating matchmaking between cybersecurity experts and health care organizations across Europe in need of help protecting their computer systems. The group already has more than 3,000 volunteers, founder Lisa Forte told Forbes last week. The European CV19 initiative inspired a similar group in Australia that will also extend assistance to health care service providers in New Zealand, founder Louisa Vogelenzang told CSO Online, adding that the group had more than 40 volunteers already.
The U.S.-based Coveware and New Zealand-based Emisoft have announced a joint initiative to help hospitals respond to and recover from ransomware attacks for free. In Canada, the SecDev group has formed to provide similar protections under a mission centered on three basic principles:
1) No hospital should close because of a ransomware attack;
2) No patient should go untreated as a result of cyberattacks; and
3) No essential service should be held hostage to malicious cyber actors.
Ideally, of course, these are principles that would apply under all circumstances.
It’s inspiring to see both criminals and white hat hackers volunteer to help protect hospitals during this period. But it’s also easy to imagine how quickly these initiatives could go sideways if a criminal were able to infiltrate one of these volunteer groups and get access to a health care provider’s systems. Because of how quickly these groups are forming, and how much is (necessarily) being coordinated online through sites like LinkedIn, it’s important to vet members carefully and be sure everyone is, in fact, who they claim to be. That’s one of the reasons that, even though ransomware is a global threat, it makes sense for these groups to emerge regionally, so that members are able to check one another and work with trusted partners.
When hospitals fall victim to ransomware, everything slows down. Health care providers have to switch to paper records, lab results have to be transmitted in person, it takes longer to schedule personnel and admit patients and treat them—assuming the hospital is able to continue admitting patients at all. The quickest way to get things back up and running may seem to be giving the attackers what they want, but that only makes everything worse in the long run. So cyberdefense volunteers are especially essential right now because it’s a more critical moment than ever to shield hospitals from having to pay ransoms. Even if one or two ransomware operators are willing to forgo targeting hospitals right now, there are many others who will view it as an opportunity.
And if hospitals start conceding to attackers’ demands to make ransom payments, those attacks will only accelerate. I’ve written before that the only good reason to pay a ransomware demand is to save lives, and if ever there were a moment when paying ransoms might seem to save lives, this would seem like one. But signaling to attackers that there is a good opportunity to make money by targeting hospitals right now will harm patients more than it helps them. Perhaps the first handful of hospitals hit will be able to make payments—but they won’t be able to continue doing that, and many other hospitals all over the world will find it impossible. To dissuade criminals from targeting hospitals right now, we must not rely on their supposed promises and ethics. We need to make clear that there is no money to be made from attacking these institutions. Hospitals that are targeted right now should avail themselves of all the free help and assistance they can to restore their systems without lining criminals’ pockets and providing them with incentives and resources to continue their attacks.
And long-term, we need to think about how to do a better job of protecting our hospitals and other critical infrastructure and providing them with the kinds of assistance that are currently mobilizing through ad hoc networks through more stable, robust, and formalized channels. It’s wonderful that there are so many people volunteering to help protect hospitals from cyberattacks right now, but it’s also shameful that we need them to fill these roles because we have so poorly protected our most critical institutions. There’s already been some movement on that front in the United States. Late last year, Congress passed the DHS Cyber Hunt and Incident Response Teams Act of 2019, which would aim to establish some of those capabilities within the Department of Homeland Security.
But it’s probably going to be a while before governments are able to focus on making serious progress on cybersecurity. When they do, we need to remember the lessons of this period, especially the need for a standing organization of trusted first responders to help mitigate and contain online incidents.
March 31, 2020: This article was updated to clarify that the Coveware and Emisoft are offering assistance to COVID-related efforts worldwide, not just in the U.S.