In February, Hollywood Presbyterian Medical Center (HPMC) was the victim of a ransomware attack that disabled access to its network, email, and patient data. The hospital was crippled. The Radiation Oncology department was shut down, CT scans and lab work were unavailable. What communication there was relied on fax machines, handwritten forms, and notes. Impacted patients were transferred to other facilities or simply turned away. After 10 days of this, the hospital surrendered and paid the required ransom to get its systems back up and running.
This kind of acquiescence is the norm in ransomware attacks where recovery is difficult or impossible. What makes the HPMC incident interesting is the head-turning size of the ransom demand as originally misreported — $3.6 million — and the very reasonable discussions that followed about why it actually was not a crazy amount to pay. The price of poker is going up.
Ransomware demands have usually been nuisance costs. While the aggregate payments are reportedly in the tens or even hundreds of millions, the formula for attackers has been high-volume, low-dollar crimes. The Economist reported in early 2015 that the demand prices were actually going down, since attackers had “found the sweet spot where their victims simply pay up” was in the hundreds of US dollars.
The attackers at HPMC must have a different GPS, because their sweet spot was about 30 times as large, with the hospital paying about $17,000 to get its systems back online. But then again, they’re charting new territory. There may be an average price to recover some files or a system, but what does it cost when an entire hospital is incapacitated?
To figure this out, I looked around for public information that would help me get a handle on the losses that HPMC was incurring while the ransomware attack was active. Published reports indicated that, among other hospital services, CT scanning was impacted. According to a 2014 California Department of Health Care Services report, the HPMC CT scanning charges had been in excess of $41 million a year. If we divide that by the maximum 365 days of use, the disruption of CT scans alone would account for losses of over $100,000 per day. If I’ve done this right, the loss of revenue from a 10-day hiatus of that one service alone was at least $1 million. That doesn’t account for the other ongoing losses for a hospital that (according to the same report) brings in over $2 million per day.
Considering the losses incurred by having the hospital’s services disrupted, $17,000 starts to look like a bargain.
Prices could rise
When HPMC was attacked, it joined a diverse group of ransomware victims, from police departments to businesses, schools, law firms, and other hospitals. The prevalence of these attacks underscores how big of a business ransomware has become, yet until recently the business model focused on keeping price points low. Low costs have made it easy for businesses to decide to simply pay the ransom, advice that even the FBI has offered.
This is very likely to change because the criminals will realize that the same ransomware that brings them many small-dollar bitcoin paydays can also be used against larger firms that can afford much larger payoffs. Ransoms in the five, six, and seven figures represent a significant departure from standard operating procedure, and they will make the decision about whether to pay up much more difficult.
If this happens, it is likely that attackers will make painful examples of organizations that cannot or will not pay to demonstrate the seriousness of their demands. Had the ransom at HPMC been the reported $3.6 million, and had the hospital been unable or unwilling to pay it, the recovery would likely have been painful, public, and costly.
Smarter defense and recovering
The rise of ransomware is the result of two factors: 1) More criminals are finding it a lucrative new way to monetize attacks; and 2) There is a growing set of ransomware tools, kits, and services that make attacks simpler and more devastating. Stopping the evolution in tools is unlikely. That means we need to reduce the attractiveness of this crime by blunting ransomware success rates and decreasing their profitability. There are three ways to so this:
1. More intelligent recovery. When a ransomware attack happens, organizations first look to their backups to see if they can simply reload the machines and recover using their own sources. From the frequency and volume of ransoms paid, this is a primary area where organizations should apply some effort. Backup and recovery design should focus on the type of data that is stored on the various systems and should consider that these attacks can do more than scramble content. Ransomware can also be used to paralyze applications and functionality, so the recovery strategy needs to include reconstitution of any critical services.
2. Evaluating connections and sharing. Ransomware arrives through user interactions on their own systems. It is an uncommon user system that can bring a large organization to its knees, but advanced ransomware knows how to spread. Ransomware that can install itself on network drives or that looks for shared objects spreads quickly. It is more likely to infect multiple systems and meaningfully impact the operation of the business. Compartmentalization and access control are foundational concepts in security, but they need to be revitalized to mitigate the spread of these infections. Organizations should revisit the amount of sharing that they do, the permissions that users have to shared assets, and the monitoring that is done of those shared drives and objects.
3. Improved user and system protections
The best way to defend against the impact of ransomware is to keep it out of the organization entirely. Given the prevalence of users as the channel through which ransomware enters organizations, these users and their systems need to be strengthened. Attackers have become skilled in making their emails appear legitimate, and there has been real innovation in the techniques they’re using to get the ransomware past existing system defenses. Users need to be re-energized and reeducated to avoid activating the ransomware, and their systems need new protections that can stop infection when they make mistakes.
Given the ease of attack, the availability of tools, and the anonymous nature of the payoffs, it could be natural to view ransomware as an ongoing and rapidly multiplying tax on our interconnected lives. Unlike other threats, though, the opportunity to slow or stop its progression is not dependent on closing all the holes or arresting all the criminals.
Instead, we need to focus on doing three things:
making it less likely that the attacks will succeed by increasing our defenses and precautions
making it much more expensive for criminals to develop the tools that will break through our defenses
making it less expensive to repair the damage than to pay the ransom when infection does happen.
With the profit motive weakened or eliminated, the criminals will move on, and we can get back to worrying about the usual challenges of insider threats, external attackers, and nation-state sponsored attacks. The good old days.
Jack Danahy is cofounder and CTO of endpoint security company Barkly. A 25-year-veteran in the security industry, he was the founder and CEO of two successful security companies: Qiave Technologies, acquired by Watchguard Technologies in 2000, and Ounce Labs, acquired by IBM in 2009.