The COVID-19 pandemic saw health-care systems around the world brush up against their breaking points, with front-line workers facing a tsunami of patients begging for beds in hospitals with limited resources.
But as the pandemic tightened its grip on the country and flooded hospitals, nefarious actors didn’t see a health-care system struggling to stay afloat. Instead, they saw dollar signs.
“Ransomware operators were brazen in their attacks in an attempt to make as much money as possible, knowing that health-care organizations—which needed to continue operating to treat COVID-19 patients and help save lives—couldn’t afford to have their systems locked out and would be more likely to pay a ransom,” according to the 2021 Ransomware Threat Report from Unit 42, the threat intelligence team from the California-based cybersecurity company Palo Alto Networks.
There has been a surge in ransomware demands around the world over the last year and Palo Alto’s Unit 42 found the health-care sector was the “most targeted vertical” for ransomware.
Ransomware is a type of cyber-attack that infects your device, holding your information hostage until you pay a fee.
“I think it’s helpful to think of this type of attack not as a piece of malware, but really as a business model for the attackers,” explained Ryan Olson, the VP of Threat Intelligence for Unit 42 at Palo Alto Networks.
“What they’re doing is denying somebody access to a system or to the data to cause them pain so that they’ll pay a ransom.”
Olson added that hospitals have been a “big target” for these kinds of attacks for “a few years” now.
“(The attacker) can apply a lot of pain to a hospital and effectively shut them down,” Olson said.
“If they can shut down their entire data management system inside the network, they can prevent that hospital from seeing patients, from performing surgeries, from taking all sorts of actions.”
The pandemic also made it easier for ransomware attackers to find victims, as many employees shifted to working from home. The proof is in the numbers: the information technology (IT) sector saw a 65 per cent increase in ransomware incident response cases from 2019 to 2020, according to the Unit 42 report.
“As organizations shifted to remote workforces due to the COVID-19 pandemic, ransomware operators adapted their tactics accordingly, including the use of malicious emails containing pandemic-based subjects and even malicious mobile apps claiming to offer information about the virus,” the report said.
But the goal is to gain access and information that can be used. For example, if an attacker gets access to a CEO’s email, they might follow that inbox for weeks to learn who handles large money transfers within the company.
“They could go and send an email and say, ‘we need to send $50,000 today to this company. The fate of the business is on the line, and if we don’t do it, we’ll go out of business,’” Olson said.
He said the attacker would time that email for when the CEO is unavailable over email or phone.
“They send that email, and that person in finance gets an email from the CEO’s actual account. They can’t confirm it because the (CEO) is unavailable and they go ahead and make the transfer,” Olson said.
“This has been the key to stealing billions of dollars.”
And with so much money to be made, attackers are getting “greedy,” Olson said.
“We’re seeing an increase in the amount that they are demanding, especially from enterprises when they have compromised their systems and they’re holding them for ransom,” he said.
The average ransom demand doubled between 2019 and 2020, from $15 million in 2019 to $30 million in 2020. Attackers are now making more money than ever, the report said.
Unit 42 learned that the average ransom paid nearly tripled in 2020, from $115,123 in 2019 to $312,493 the following year. The top ransom payment also doubled, from $5 million in 2019 to $10 million in 2020.
The report also found some disturbing information about Canada specifically. While the United States is the most heavily hit country, with 151 organizations seeing their stolen data published on leak websites in 2020, Canada has the grim honour of coming in second.
A total of 39 Canadian organizations saw their data leaked online last year, while Germany came in third with 26 organizations facing leaks.
When pressed on why Canada faces such a high proportion of these kinds of attacks, Olson said it likely isn’t the result of security issues – but rather that we’re an “attractive target.”
“I’d say it may be sort of a badge of honor to be placed there, because you’ve got the resources that you might want to pay and your data is really valuable. So you’re a high profile target for these attackers who know that they can make money,” Olson said.
“I wouldn’t say it’s because the security sucks or anything else like that, though.”
When asked about what Canada is doing to ensure our safety online, a spokesperson for the Canadian Security Establishment echoed that the COVID-19 pandemic is creating an environment that is “ripe for exploitation.”
“The Communications Security Establishment (CSE) and the Canadian Centre for Cyber Security (Cyber Centre) recognize these unique conditions and are working tirelessly to mitigate these threats,” said Evan Koronewski in an emailed statement.
“Throughout the pandemic, CSE and its Cyber Centre have continued to raise public awareness of cyber threats to Canadian health organizations by proactively issuing cyber threat alerts, and providing tailored advice and guidance to Canadian health organizations, government partners, and industry stakeholders.”
He added that CSE has assessed that cyber threat actors will “almost certainly continue to target hospitals, medical clinics, and other front-line services involved in COVID-19 responses around the world.”
Beyond providing threat bulletins and advice to health-care organizations who are at-risk of falling into the clutches of malicious actors, Koronewski said the CSE’s Cyber Centre experts have “regular calls” with the health-care sector to share the latest cyber threat information.
“The Cyber Centre recommends that Canadian health organizations remain vigilant and take the time to ensure that they are applying cyber defence best practices, including increased monitoring of network logs, reminding employees to be alert to suspicious emails, use secure teleworking practices, ensuring that servers and critical systems are patched for all known security vulnerabilities,” he said.
What you can do to protect yourself
As Canadian institutions are forced to grapple with these money-hungry attackers, Olson had words of reassurance for average Canadians who are afraid of being targeted by this increase in ransomware.
“What we’re mostly talking about in this report are attacks against enterprises, not against users. I am not going to be charged a $30 million ransom if somebody takes control of my laptop,” Olson said.
However, everyday people do sometimes find their data caught up in these much larger attacks. At the beginning of March, more than 20,000 U.S. organizations were compromised through a back door installed via recently patched flaws in Microsoft Corp’s email software.
In an email to Global News, a spokesperson for CSE confirmed that computer systems in Canada are among those impacted by the massive hack.
“For people at home, it’s not something they can really do a lot about. They can’t take action around securing companies who they’re working with,” Olson said.
While Canadians don’t have much power to protect themselves in the event of these large-scale attacks, there are steps Canadians can take to shore up their personal defences against cyber attacks. Simple steps, such as using multi-factor authentication, coming up with strong, different passwords for various accounts and using a password manager can help a user to build stronger armour against a potential attack.
Those are just a few of the tips on the government’s Get Cyber Safe webpage, which is full of steps individuals can take to tighten the security defences on their devices.
It’s also important to be cautious of what information you’re sharing online — and who you’re sharing it with. Olson said that this can be key to providing a layer of protection even amid the larger-scale cyber attacks.
“Pay attention to what kind of data is being stolen,” Olson explained. “What kind of data are you sharing with companies? Because there is always the potential it’s going to be taken at some point and exposed to the world.”
—With files from Reuters, Global News