Euro Security Watch with Mathew J. Schwartz

Fraud Management & Cybercrime , Healthcare , Industry Specific

As Britain's NHS Faces Data Leak, Never Normalize Ransomware

Battle the Business Model With Business Resilience Planning, Failover Capabilities
As Britain's NHS Faces Data Leak, Never Normalize Ransomware
We shouldn't become numb to the human cost of ransomware. (Image: Shutterstock)

Never let ransomware become normalized. As Britain's National Health Service faces an alleged leak of stolen data after yet another ransomware attack, this imperative has never been more important.

See Also: 5 Requirements for Modern DLP

The latest attack on the NHS is a reminder that businesses today are more likely than not to be hit by ransomware. But this doesn't mean we should ever let ransomware seem like a new normal, akin to death or taxes (see: Qilin Ransomware Group Leaks NHS Data).

The relentless attacks launched by ransomware groups can make it difficult to not become numb. The mainly Russian-speaking extortion groups collectively earn annual paydays north of $1 billion at society's expense. They've extracted extortion from hospitals, national healthcare systems and other institutions offering critical services, all on top of causing massive disruptions with real consequences for human well-being (see: NHS Ransomware Hack: 1,500 Medical Appointments Rescheduled).

"The types of people who do this are criminals, so they really don't mind," said Alan Woodward, a professor of computer science at England's University of Surrey. "These were the sort of people who were doing drugs, prostitution, human trafficking, etc., so human misery means nothing to them."

One reason they've migrated to ransomware is because "they can make way more money out of it and the risk of getting caught is lower," Woodward told me. "They're immoral, but they're immoral businessmen."

That helps explain the question of how attackers live with themselves when they hurt innocent people.

The BBC recently posed that question to a member of the Qilin ransomware group, which has amassed numerous victims this year, including pathology services provider Synnovis in London.

"This interview is over," the group's representative responded, ceasing all further communication.

Qilin has continued to follow the typical ransomware attacker's playbook, first trying to "name and shame" a nonpaying victim into paying and then claiming to leak stolen data when they don't.

As a result of the attack, the NHS has issued an urgent appeal for donations of O type blood, including via letters sent to households across England. That's because the systems required to cross-match blood types remain unavailable as the Synnovis outage continues (see: London Hospitals Seek Biologics Backup After Ransomware Hit).

So far, the Synnovis attack has led to over 1,000 canceled surgeries and appointments, including the need to reschedule planned cesarean sections and organ transplants. Doctors and hospitals have been told to route noncritical blood tests, including those for sexual health, to alternate providers. One doctor told the BBC that critical blood test results that previously came back in an hour now take six hours.

Recovery Concerns

Experts say Synnovis may take months to fully recover from the attack. The company, which describes itself as a "pathology partnership" between the government-funded Guy's and St Thomas' NHS Foundation Trust and King's College Hospitals NHS Trust and the private Munich-based diagnostics giant Synlab, seemed to pull the plug on its systems as soon as it detected ransomware. Such quick thinking may have blocked attackers from being able to breach systems at the hospitals that rely on Synnovis.

Even so, the ongoing outages and lengthy timeline for restoration raise questions about the wisdom of centralizing pathology services, which was likely done for cost-saving purposes. The Guardian reported that the trusts' contract with Synnovis "for services that are vital to the smooth running of the NHS" is worth $1.4 billion.

At those prices, why didn't Synnovis have failover capabilities located off-site, in partnership with Synlab, so it could continue to provide its essential pathology services, not least in the event of a natural disaster or other disruption? Synnovis didn't respond to my request for comment.

The company is the latest in a long line of victims hit by a now-predictable set of moves by attackers who successfully deploy ransomware or steal data from a victim's environment. Experts say about 25% of such victims typically pay a ransom, which is the outcome attackers most desire, not least because such attacks often never come to light, which makes their tactics tougher for security defenders to track and law enforcement to disrupt.

When attacks do come to light, it's typically because the victim hasn't paid a ransom. At that point, attackers often try to milk the incident for publicity purposes, especially to pressure future victims into paying.

Ransomware groups remain expert at psychological manipulation and branding. Qilin claimed that it demanded a $50 million ransom from Synnovis after an affiliate successfully hacked the company. Perhaps attackers saw a juicy target, given how many private healthcare firms in the U.S. reportedly do pay a ransom.

Anyone familiar with Britain's government-funded and perennially resource-starved National Health Service, of which Synnovis is part comprised, likely thinks the ransom demand is ludicrous. "The criminals may believe that Synnovis won't pay any extortion demand, and this demand for $50 million could simply be a publicity stunt by the criminals in order to raise their notoriety amongst future victims," said Brian Honan, who heads Dublin-based cybersecurity consultancy BH Consulting.

Preparation Pays

Part of never letting ransomware become normalized requires CISOs - and their senior executives and boards of directors - to ensure their organizations aren't just prepared for attacks but ready to nuke their enterprise IT environment from orbit and start all over again, if required.

In the case of Synnovis, that might have meant being prepared to lose data from already processed test samples, something that may have now occurred anyway. Triaging an event of this magnitude and rapidly restoring services might require trade-offs.

"You've got to be ready for it, and to withstand it, and that doesn't just mean repelling it, because they're going to do it more than once," Woodward said. "You have to be ready to operate without IT and to know what to do if you raze it all to the ground and start again."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.