"We don't pay ransom" has been the blunt message from Waikato District Health Board chief executive Dr Kevin Snee as his organisation continues to grapple with the effects of a cyberattack that hit last Tuesday.
The DHB has preferred to with the multi-day - turning into multi-week - grind of restoring its systems from backups.
Police and cyber experts say that's the best approach: If you pay up, you'll only encourage more offending.
But security experts also warn that where the likes of a healthcare provider or law firm is the target of an attack, getting its files returned (by backup or payment) is only half the process.
The cyber-attackers can also make copies before unlocking or returning files in order to extort individual patients (or customers).
"There is always the risk that the criminals could contact individual patients to blackmail them, particularly if those patients suffer from ailments that would be embarrassing or they would not want others to be aware of," says Dublin-based security expert Brian Honan.
Honan is head of the Irish Reporting and Information Security Service - billed as Ireland's Cert (Computer Emergency Response Team) - and the country has been in the thick of it.
On May 14, Ireland's public health service was hit by a major ransomware attack, from which it is still recovering. A ransom was not paid. The attackers asked for US$20 million in bitcoin. On May 20, the Financial Times reported that 27 personal files associated with the attack had been posted online. (As well as rendering various services inoperative, the ransomware gang behind the Irish attack, the ContiLocker Team, claims to have stolen 700 gigabytes of data, including patients' home addresses and telephone numbers, as well as staff employment contracts, payroll data and financial statements.)
"And this has happened in the past where criminals ransomed data in a private psychology clinic in Finland, they also demanded payment not to publish that data onto the internet, and they also extorted individual patients to prevent the publication of their individual files," Honan says.
In October 2020, Patients of the Helsinki-based Vastaamo chain of clinics received extortion notes from a ransomware gang, which threatened to publish their therapy notes - which included everything from adultery to LSD use - if they didn't pay €500 within 48 hours to fork over €500, Around 30 paid up. Another 100 - including politicians and celebrities - had embarrassing details spilled on the public internet. Vastaamo was put into liquidation in January.
Waikato DHB boss Snee says it seems there is a low chance that patient records have been exposed. But the DHB boss also said at a press briefing over the weekend that the attack was more far-ranging than first thought. "We are dealing in uncharted territory here," Snee said.
And ex-RAF cyber operations expert, Jeremy Jones, now with Theta, told the Herald, "I would be highly surprised if all the Waikato DHB records weren't stolen as part of this attack."
Jones explained, Cyber adversaries deliver these attacks in spite of any security controls that might be deployed, eg: Anti-virus or firewalls. They simply seize controls of administrative accounts and then disable the security controls one by one, leaving the IT department blind to the attack.
"Since some victims have (rightly) refused to pay the ransom, adversaries ended up changing their tactics. They steal all the data first and then encrypt it. If you refuse to pay then they extort the victim organisation by threatening to release the data publicly."
Why the sudden escalation in attacks on hospitals?
The New York Times recently described a rash of cyberattacks on American hospitals - often by gangs based in Russia - as "their own kind of pandemic".
Hospitals have long been a favoured target for hackers. The life-and-death urgency of restoring files can make it more likely a ransom will be paid (and there can be rich pickings later from shaking down individual patients). But Covid-19 has seen a step-up in tempo.
"Criminals are targeting healthcare providers because they realise how dependent we are on those providers during the pandemic," Honan says.
"As such they believe the providers' reliance on their IT systems will make it more likely for them to pay any ransom demands.
He adds, "We have to remember that the people behind these attacks are criminals with little or no scruples and look to prey on the most vulnerable in society."
The attackers can be utterly ruthless, if no ransom is paid. In November last year, the University of Vermont Medical Centre couldn't treat some chemotherapy patients because an attack wiped their records. "Nurses said it was one of the worst experiences of their careers," the Times reported.
With lives at stake, or your most embarrassing secrets about to spill onto the web, it must be tempting to pay up (just as the likes of Garmin, Canon, the Colonial Pipeline, Blackbaud and others have capitulated to cyber-extortion in the business world).
But Honan says it's a temptation that has to be resisted, and not just because choking the flow of funds to ransomware gangs incentivises more attacks.
"Criminals by their nature are not trustworthy and there is no guarantee that they won't release the data at a later date, or return again at a later tone demanding another payment, or sell the data to other criminals for them to use that data to target people affected with scams or other online crimes."
War game it
Experts say you should educate your staff to be wary of suspicious emails (the usual conduit for ransomware to infiltrate a network), keep all of your IT systems up-to-date and maintain multiple backups - including a "cold" or offline backup.
The classic mistake here is backing up, but never testing whether it works.
"I recommend regularly testing your restore procedures, running exercises which simulate a ransomware attack, and also including ransomware attacks as part of your business continuity planning."
For his part, Jones said part of the problem is that the 20 DHBs use a patchwork of different security solutions, many of which are outdated or have been band-aided together over time.
That makes it hard for deputy-director general of health Shayne Hunter to control, Jones says (Hunter oversees digital policy for the Ministry of Health).
Our Government - like others, has refused to make paying a cyber ransom illegal - or introduce controls that would prevent bitcoin and other cryptocurrencies being used for anonymous payoffs.
But it did allocate $230m operating spending and $170m capital spending toward the creation of a centralised patient record system over the next four years as the 20 DHBs are merged into a single national health agency. That should make it easier to shore up the system's defences.