Editor’s Note (9/21/20): This article was originally published online on March 23, 2016. We are republishing it in light of the news that a woman in Germany died as a result of a ransomware attack on the hospital where she was being treated. Experts suggest this event could be the first known case of a cyberattack directly contributing to someone’s death.
Earlier this month a Los Angeles hospital became yet another victim of ransomware—a type of cyber attack where hackers encrypt data on individuals’ or institutions’ computers and demand a ransom to unlock the information. A few weeks later the Los Angeles County Department of Health Services reportedly suffered a similar fate. These are just two cases in a rising tide of ransomware hacks, and experts predict the problem is only going to get worse. Unfortunately, it turns out that some of easiest ransomware attack targets are the critical establishments that we rely on most.
Many vital public institutions such as hospitals, police stations and fire stations typically do not have the most sophisticated cybersecurity, and they are perhaps the most vulnerable of all in ransomware attacks. This is not because public institutions are more exposed to these attacks than, say, restaurants or dentists—the problem is that there is more at stake for everyone when these institutions become victims.
Ransomware has been around since the late 1980s, but in recent years it has become increasingly popular with cyber criminals, especially since the creation of bitcoin in 2009 gave hackers an easy way to get paid anonymously. In 2014 ransomware attacks rose 113 percent compared with the previous year, and 2015 estimates also show rapid growth, says Kevin Haley, director of Symantec Security Response. Ransomware hackers trick victims into visiting an infected Web site or downloading an attachment and then encrypt their data. Hackers post a ransom note on a user’s screen; if the victim does not pay within a certain amount of time, their data is lost forever.
Criminals like ransomware because it works. “This software is very effective at getting money out of people,” explains Justin Cappos, a computer security expert at New York University. The hackers usually demand fairly small payment of a few hundred dollars, so they tend to fly under law enforcement’s radar. But they target so many people that they can take in millions. “It’s a volume business, like McDonald’s,” explains Phil Lieberman, founder of Lieberman Software and a cybersecurity expert. Although ransomware attacks are mostly random, researchers say that cybercriminals have found a “sweet spot” of $10,000 when they specifically target businesses—a big sum, but still low enough that it will not attract too much attention from law enforcement.
Some groups are prepared to deal with this threat. Tech companies, financial firms and certain government agencies tend to have to have sophisticated cybersecurity to help them fend off attacks and recover quickly when they happen. But small and midsize businesses, including mom-and-pop shops, restaurants, dentists and attorneys are typically less well protected, as are crucial public institutions.
Many police stations, for example, have had their data held hostage by hackers. In 2013 ransomware struck the Swansea Police Department in Massachusetts and encrypted its main file server, locking up important administrative and investigative documents as well as seven years’ of mug shots. The department paid $750 to get its data back. Similar attacks were launched on police stations from Tennessee to Maine to Chicago. Fire departments have also been victims of ransomware. In 2015 a Maryland fire department reportedly had to shut down its computerized dispatch center and record everything on paper because of an attack. Ransomware is especially troublesome for these kinds of institutions because they absolutely need to get that critical data back to continue operating.
Like police and fire stations, hospitals are vulnerable because they also run 24/7 and also have irreplaceable data. Yet hospitals may actually be more susceptible to ransomware attacks for reasons unique to the medical industry. Some medical institutions use old legacy administrative software that only works on outdated operating systems, which contain more weaknesses for ransomware to exploit. It is also difficult for hospitals to update software on medical devices because of tight regulations, and this leaves them more open to attacks as well. “You can’t just roll out new software,” explains Josephine Wolff, a computing security expert at the Rochester Institute of Technology, “The medical world is dealing with a very complicated legal and policy regime around medical data and how it has to be handled.”
Critical infrastructure, such as dams, power grids and other systems are increasingly linked to the Internet, meaning they, too, are exposed to ransomware. “We’re getting more and more connected in ways that developers of these systems did not envision many years ago,” explains Engin Kirda, a professor of computer science at Northeastern University. “As a result, these systems could be taken down by malware attacks, and the consequences can be difficult to predict.” Experts, however, say that ransomware is less likely to cause major problems for infrastructure than other types of malware because it deals with data rather than interfering with control systems. But Kirda says that, theoretically, ransomware hackers could access certain data that may affect, say, how power is managed. Lieberman agrees: “It’s not inconceivable that an attacker could target an employee of a critical infrastructure company, shut down that company down, and demand a ransom to restore access.”
Ransomware attacks not only place a financial burden on victims, they also hinder the operations of these crucial public institutions. In the case of the Los Angeles hospital it took $17,000 (40 bitcoins) in payment and 10 days before the hospital had its system running again. And although paying the hackers may seem like a relatively small price compared with losing all that data, experts say there is more at stake. The cash that institutions, businesses and average citizens send to hackers ends up in bad places. “The money goes to criminal organizations and a lot of them are involved in really despicable things like human trafficking,” Cappos says. “You’re really providing funding and support to people doing horrible things.” And when victims show they’re willing to pay, it attracts more criminals to the ransomware market.
Experts encourage everyone—from police stations to corporations to individuals—to follow best security practices. Most importantly: have backups. “Ransomware relies on the idea that hackers have managed to encrypt something that’s really valuable to you because you only have one copy,” Wolff explains. “If you have backups, then what they’ve got has no value.”