Ransomware hackers target hospitals because there's often an extra urgency to get patient files back from the cyber thieves: Lives are at stake.
That's why non-profit and for-profit hospitals in New Jersey and Alabama have paid cyber-ransoms in recent times, and why healthcare facilities in the UK, France, Australia and now New Zealand keep getting hit. Ransoms have reportedly been paid by hospitals ranging from US$55,000 to more than US$1 million.
And ex RAF security expert Jeremy Jones (now with Theta) adds, "There are also cyber attacks involving medical facilities where the adversaries also extort the patients themselves directly. For example 'Give us some money or we'll release your mental health records on the Internet'."
Authorities advise never to pay a ransom, because it only enables more offending, but NortonLifeLock cyber expert Mark Gorrie earlier told the Herald that he was aware of a US police department that caved and paid a cyber-ransom.
Today, Gorrie said, "In this case, the attackers will be hyper-aware that a government backed organisation providing critical healthcare can only be down for so long. They know the pressure is mounting publicly and that is an incentive to pay up. It's all part of a very well-rehearsed plan."
Three ways our Govt is enabling ransomware
It's become a very familiar story. Today's hackers often want money to give you back your files (after they've stolen them or encrypted them in a "ransomware" attack) or to cease a DDoS attack (a distributed denial-of-service attack where an army of bots try to connect to your site at once, rendering it inaccessible to regular punters).
And their efforts are only escalating because governments enable ransomware extortionists in three ways: failing to regulate cryptocurrencies like bitcoin, giving hackers an easy, anonymous method of being paid; authorities' underfunded and uncoordinated efforts to catch offenders (we compare particularly poorly against Australia, as detailed within this feature); and maintaining the legality of paying up.
NortonLifeLock security expert Mark Gorrie saw the recent DDoS attack on the NZX as a "profit-driven" attack, like those on Lion, Toll Group and Fisher & Paykel Appliances and MetService before it, and the Reserve Bank since (none of the victims would comment on whether a ransom had been demanded).
In the US, a ransomware attack that shut down a major oil pipeline has reanimated debate over whether a ransom should be overnight - overnight, oil was flowing again after reports that the pipeline's operator had paid millions for the return of key files.
Here, Crown agency Cert NZ and the police have clear advice. "Don't pay." Cert (the Computer Emergency Response Team) said paying up will only encourage another attack on you or another organisation. There's also no guarantee you get your files back or that a DDoS attack will stop if you do stump up - and you'll likely be giving money to an organised crime outfit that's also involved in the likes of drugs and human trafficking.
Nevertheless, Kordia chief information security officer Hilary Walton says research indicates around 20 per cent of victims do pay. There are indications that fitness-tracker and avionics maker Garmin recently paid $14m to rid itself of an attack.
And the University of Auckland recently disclosed that it had alumni and donor data stored with Blackbaud, a listed US company that publicly disclosed it had paid a ransom after its systems were compromised earlier this year. Otago University also had data with Blackbaud. Both NZ universities said they were not party to the decision to pay off the hackers.
If an organisation doesn't pay up, the latest tactic is blackmail - or slowly leaking small batches of sensitive files on to the public internet to encourage a victim to pay up.
Fisher & Paykel Appliances suffered that fate earlier this year as it had highly-detailed budgets and planning documents posted online.
But the whiteware maker gritted its teeth and did not pay.
It was a tough outcome, but Cert says even if you do pay, and your files are returned, your attacker could keep copies and use them to blackmail you in the future.
Yet Wellington lawyer and IT specialist Michael Wigley earlier said he can understand why some organisations pay up. It some cases it can be a pragmatic decision. In others, an argument can be made that a company's duty-of-care extends to retrieving lost client data.
And Wigley noted that - simply because it would ruin future attempts if they didn't play ball - hackers often do return files, as in the Garmin, Blackbaud and now Colonial pipeline cases, and are willing to release small amounts of data to prove they're the actual perpetrator.
Herald columnist Juha Saarinen says the government should make it illegal to pay a ransom.
What does the current law say?
"The Crimes Act was written in an age when a ransom was only demanded for a person, not data," says Auckland University Law Faculty professor Bill Hodge.
"But my reading is that it would not be illegal to succumb to a hacker's demands and pay a ransom.
"It would be almost impossible for police to mount a prosecution."
This morning, Justice Minister Kris Faafoi ruled out a law change to make it illegal to pay a cyber-ransom.
How to protect your organisation from ransomware
First, there are the basics: any expert will tell you that you need to have anti-virus, anti-malware software in your organisation, plus hardware or software firewalls; you need to keep all of your software (not just security software) up-to-date with the latest patches and you have to backup regularly, and regularly check that your backups work.
1. A 'cold' backup
Beyond that, Cert NZ says a key defence against ransomware is to do a "cold" backup.
Most organisations will copy their files to one or more cloud backup services. But if your passwords are compromised, those online backups can be too.
A cold backup involves the manual, old-world method of copying files to a portable hard drive, then physically moving that hard drive to somewhere off your premises.
2. A culture of suspicion
NortonLifeLock security expert Dean Williams gives a cold backup the tick, but emphasises "it's just one piece of the puzzle".
Another is to have the right culture in your organisation - and that's one where people are highly on-guard and not afraid to highlight a suspicious email.
"If you're not confident a message is real, call it out," Williams says.
Ransomware gangs tend to take their time stalking a large corporate target, and often carefully customise attacks.
"A phishing email can be crafted to the point where it's very hard to identify as a fake," he says.
You've got to educate your staff to be on the lookout for phishing attacks, such as an invoicing scam, Williams says.
At Herald publisher NZME, an award-winning awareness campaign took in everything from a "Phishing" button added to Outlook to posters on the back of toilet doors. It led to an 80 per cent increase in staff reporting suspicious emails.
• NZME anti-phishing campaign among iSANZ winners
Aura Infosec GM Peter Bailey says his organisation is seeing an increase in scam emails related to the pandemic as confusion around rapidly changing office and home office setups opens a rich vein of confusion for exploitation. So be particularly wary of any communications about Covid-19. Your standbys are to report suspicious email to your IT department or to give the apparent source of an email an old fashioned telephone call.
You've also got to tell your staff, and friends and family, not to:
• visit unsafe or suspicious websites
• open emails or files from someone you don't know
• click on malicious links in social media, like Facebook posts. Be especially suspicious of purported surveys, coupons and tests
Cert says another good rule of thumb is to never download software recommended by someone who phones you, purporting to offer technical support.
And never enable macros (software for automating various functions) in Microsoft Office.
It can also be a good idea to sign up for alerts from Cert NZ. The Crown agency caters to both home users and IT professions (for the latter, it's just issued a warning about possible ransomware vulnerabilities with two remote access technologies that many large organisations use to manage staff working from home during the outbreak.
Cert NZ was set up for education, but also to be used as a triage centre if you get hit by ransomware or another form of cyber attack.
You can get free advice on the best IT support and law enforcement contacts, and Cert stresses that it's confidential. Start at cert.govt.nz/report.
While Cert recommends not paying a ransom, the agency says if a business does pay up and get files back, it's important that they have their computers professionally inspected by an IT expert to determine if the attacker has planted any other malware, or if the attacker has created another way to access the business's data.