Following the news about a hacker claiming to have broken into multiple healthcare databases across America has listed a fresh trove of 9.2m records on a Dark Web-based marketplace for 750 bitcoin (£368,000). IT security experts commented below.
Ondrej Kubovic, IT Security Specialist at ESET:
“The attacker found vulnerabilities in the affected companies’ systems that allowed him to get access to the records, then – apparently unsuccessfully – demanded “a small fee to prevent the leak” and now he/she is trying to sell the loot on a dark web marketplace. There is no guarantee that the data is genuine, but we can assume that the attacker would not put such a price tag on data, he would not be able to prove genuine to a potential buyer.
The amount that authorities can do now depends on how many traces the attacker left behind and if the investigators manage to get their hands on the stolen data (and all its copies the attacker might have created).
In general, the organizations under ransomware attack should not pay the attacker, as there is no guarantee they will obtain a working decryption key or tool that will be able to decrypt all of the affected files. There is also no guarantee that the malicious actor will not come back for more. We recommend to contact the technical support of their security vendor as there are many variants of ransomware that can be circumvented or can have a decrypting tool custom made.
But since this doesn’t seem to be a ransomware attack, ransomware specific advice (such as backup) doesn’t apply. This seems to be more about deploying a strong multi-layered protection (including data encryption) rather than being able to restore the already-leaked sensitive data.”
Travis Smith, Senior Security Research Engineer at Tripwire:
“The next stage of ransomware has finally arrived. Traditional ransomware is a semi-automated process in which the malicious software infects the victim and encrypted as much critical data as possible. However, the victim could easily forgo the ransom in lieu of restoring from recent backups. This is the next stage of ransomware, in which the attacker is mitigating the risk of the victim restoring from backup by keeping a copy of the private data. Now the victim may have to make decisions on paying not only to recover their data, but to prevent it from being leaked externally. For businesses, this could mean fines and diminished reputation from the breach. For consumers, this could be private or damaging information.
A lot of attention for ransomware has been shining on the recovery aspect, as it’s relatively simple to have recent backups and restore your encrypted data. With this evolution, both businesses and consumers will need to focus more heavily on prevention. This includes keeping applications and operating systems up to date with the latest patches and training users not to click links or open attachments from unknown sources.”
Brian Spector, CEO at MIRACL:
“Hospital IT systems are notoriously fragmented and complex, with networks crossing wards, laboratories and offices. They are also among the most vital and important in any organization – because if their systems go down, people’s lives may be at risk. This makes healthcare organisations the perfect victims for ransomware.
So it is not surprising that there has been such a spate of ransomware attacks on hospitals in the past year. This will most likely grow in the future so all healthcare organisations must take time to constantly evaluate and improve their defence configurations and make sure they have a full back up in place so that if they are affected they can recover quickly without paying the ransom.
It’s as true for hospitals as it is for the Web itself, where the efforts of hackers are becoming bolder and more frequent. We believe that the security challenge is a problem that can’t be patched. The best thing to do is start over with a new system which distributes trust across multiple points instead of continuing to provide single points of compromise.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.