Ransomware misstep results in a moral conundrum

While gangs debate targets, a lull in attack volumes offers time to add defensive layers

It’s a question we’ve all asked ourselves: when will ransomware gangs go too far and provoke a stronger response than payment ­– or defiance – from an individual target?

In May 2021, we got our answer.

Ransomware attacks on hospitals during Covid met with universal condemnation as “despicable and evil”. Even before the pandemic, cybercriminals divided over ethics, but that didn’t stop the attacks. Government cybersecurity advisories also took a keen interest in the health and aged care sectors, but attacks continued.

If attacking healthcare organisations during a pandemic wasn’t already a step too far, hitting oil supplies to much of the US proved to be that misstep, that “miscalculation”. The malware creators quickly knew it, too, and while they tried to backpedal with a brief mea culpa, by then, they’d already attracted a kind of unwanted scrutiny that they couldn’t shake. The result was inevitable.

How this ultimately impacts the multiple gangs operating in the ransomware space remains to be seen.

Certainly, they can expect increased short-term scrutiny, which has led some high-profile gangs to eschew the spotlight and set non-target lists. One group now bars attacks on “government, healthcare, educational and charity organisations regardless of their country of operation.”

But as some groups draw up new rules of engagement, others continue to attack hospitals, proving morals are an unreliable defensive strategy, particularly if not all adversaries agree to them (and if it remains financially lucrative to continue attacks).

And so, despite the assurances of cybercriminals – and a brief reprieve while they wait for the heat to pass – healthcare providers and critical infrastructure providers will inevitably wind up on target lists again.

Before that occurs, there is a small window of time to make improvements to security and defensive postures.

The health factor

Healthcare organisations are attractive targets for malicious attackers due to the high value of personal medical data they possess and the need for uninterrupted operations.

They are also highly vulnerable to attacks due to complicated factors such as a broad diversity of workers, the need for on-demand access to information, and having to protect legacy medical devices that lack robust security features.

The financial rewards for stolen information are high – healthcare-related records sell at a premium in dark web forums, as much as $1000 each, due to the amount of personal data contained within.

Attackers also leverage ransomware to deny healthcare organizations access to critical data unless they pay, annually costing the industry millions of dollars and endangering patient care.

Sizing up industry

Utilities like Colonial Pipeline – the target of the recent ransomware misstep – use industrial automation and control systems or IACS as part of their core operations.

IACS comprises large numbers of devices that generally have a long lifecycle of 15 years or more and installed bases that can run into the tens of thousands of devices per company.

The ability to harden these devices may be a challenge since the functional design was the primary

mindset of component manufacturers, which often did not allow for turning off unneeded (networked) services. Security also traditionally relies on “air gapping” from other networks such as the internet, but many of these gaps have disappeared to enable new functionality or data use.

In addition, high replacement costs may slow the pace of the adoption of newer technologies, leaving older, more vulnerable devices in use.

IACS often manages 24×7 operations and has very short maintenance windows, potentially leaving devices without required patches or updates for long periods, increasing risk.

Attacks on these systems target day-to-day operations. Lengthy shutdowns can have massive downstream impacts on consumers.

A deceptive proposition

While security challenges differ, both healthcare and critical infrastructure sectors are finding utility in innovative solutions like Deception Technology to defend against attackers.

Instead of using typical approaches to identify abnormal behaviour, a deception platform distributes decoys and lures throughout the network, creating an extensive minefield that works to misdirect attackers. Any touch of a deception asset provides engagement-based alerts with relevant forensic data, virtually eliminating false positives and increasing the incident responder’s ability to address a compromise with confidence.

Deception Technology is operationally efficient and accurate, acting as a force multiplier for healthcare organisations to protect themselves against the unrelenting stream of attacks targeting protected health information and patient data and critical infrastructure operators to guard against the inevitable resurgence of adversary attention.


Jim Cook
Jim Cook is ANZ Regional Director at Attivo Networks, an award-wining leader in cyber deception and attacker lateral movement threat detection. Cook has more than 20 years’ experience in the IT industry in both Australia and the UK and was previously ANZ Regional Director at Malwarebytes. Prior, he was Country Manager at Fortinet and also worked at Check Point Software Technologies for nine years in several sales positions.