Patients with appointments at certain Eastern Connecticut Health Network (Connecticut, USA) locations on 5 August 2023 experienced an unwelcome surprise: Their appointments had been canceled.1 The mass cancellation was not due to the network being overbooked or understaffed, however. Instead, it was a result of a ransomware attack on Prospect Medical Holdings, a US State of California-based healthcare system operating in 4 states, of which Eastern Connecticut Health Network is an affiliate.
Unable to access many of their computer systems, some locations were forced to cancel appointments. Others stepped back in time, relying on paper records to facilitate patient care. However, Eastern Connecticut Health Network’s experience is anything but an outlier, as ransomware attacks have become frighteningly familiar in today’s digitally dominated landscape.
Ransomware attacks, malicious software that encrypts or steals a victim's data and demands payment for their release, regularly impact healthcare providers, educational institutions, government agencies, small and medium-sized businesses (SMBs) and even major corporations.
Ransomware attacks are nothing new. The first documented incident occurred in December 1989 (it also targeted a healthcare institution).2 Over the years, these attacks have increasingly grown more common, costly and consequential, making it critical that organizations understand the latest threats and implement solutions to keep their (and their customers’) data secure—and their operations thriving.
Understanding the Ransomware Landscape
Modern ransomware has changed considerably since its inception 3 decades ago. Perhaps most important, this malicious software is no longer the work of isolated hackers. Rather, it is the product of sophisticated, often decentralized, teams with organizational structures and differentiated roles. The Ransomware-as-a-Service (RaaS) model has proliferated in recent years, allowing less sophisticated malicious cyberactors to acquire and deploy attacks at scale. RaaS products accounted for nearly 60% of all malware products sold on the Dark Web, according to a study sampling malware offerings between 2015 and 2022.3
Highly organized criminal enterprises are making organizations more likely to experience an attempted ransomware attack. Surprisingly, only a few groups control the RaaS landscape. The top 10 RaaS groups account for 87% of attacks, with the top 3 responsible for more than 50%.4 Of course, these groups can be challenging to pin down as increased law enforcement attention leads to regular rebranding and regrouping.
In 2023, threat actors appear to target service, manufacturing and wholesale trade organizations, emphasizing enterprises with revenue between US$1 million and US$50 million.5 A median ransom amount is estimated to be approximately US$200,000.6
Attackers attempt to strike a balance between an organization's level of cyberprotection and the potential ransom payment. Simply put, organizations in the mentioned revenue range often lack the IT and security solutions to prevent a ransomware attack, but have enough revenue to pay the ransom to recover their data or IT infrastructure.
[Targeted] organizations...often lack the IT and security solutions to prevent a ransomware attack, but have enough revenue to pay the ransom.
The cost of failure can be incredibly high. While it can vary significantly, from several hundreds of thousands of dollars to as high as US$70 million,7 the long-term repercussions, including opportunity cost, reputation damage and investor outlook, make it challenging to calculate the actual impact.
Strategies for Protection, Compliance and Risk Management
Every year, 85% of enterprises experience at least 1 attempted ransomware attack, making implementing strategies for protection, compliance and risk increasingly important.8
To elevate an organization’s defensive posture, start by addressing the most common culprit: compromised credentials and exposed Internet servers (mainly remote desktop protocol [RDP] connections). Enterprises should monitor servers and be vigilant about compromised credentials because these are standard attack methods. At the same time, it is important to ensure that all employees use strong, unique passwords for their accounts.
Proactively and continuously scanning the Internet and dark web for potential compromise (and responding accordingly) also helps organizations anticipate attack vulnerabilities. Notably, more ransomware attacks occur in the second half of the year than the first due to the increase of cyberactivity surrounding winter holidays.9 This does not mean that enterprises should let their guard down at the beginning of the year, but it allows them to plan accordingly, ensuring that they have their proverbial ducks in a row before an attack occurs.
Enterprises can also analyze data to gauge the likelihood of an attack based on their industry and size, although these trends may change over time. Specifically, organizations can leverage data to perform a quantitative cyberrisk analysis to determine the likelihood of a ransomware attack and the impact an incident would have on their operations and bottom-line results. With this information, IT teams and decision makers are empowered to understand the financial impact of a cyberevent, assess the return on investment (ROI) of their cybersecurity budgets and prioritize risk management decisions accordingly.
Digital hygiene best practices can meaningfully reduce the risk of a ransomware attack, equipping organizations of every size with what they need to take control of their digital environments.
Finally, teams can be trained and taught to anticipate ransomware attacks, making them more likely to closely scrutinize potential phishing emails, better manage their account credentials and regularly install software updates. These digital hygiene best practices can meaningfully reduce the risk of a ransomware attack, equipping organizations of every size with what they need to take control of their digital environments.
Is a Ransomware Attack Inevitable?
In today's digitally connected world, ransomware attacks have become a pervasive element of the ever-changing and increasingly sophisticated landscape. Enterprises, healthcare institutions and organizations across various sectors are all potential targets facing the risk of significant financial loss, operational disruption and reputational damage.
The emergence of RaaS has further complicated this scenario, making the ransomware industry more organized and formidable. However, the inevitability of an attack does not translate into helplessness. Organizations can employ strategic protection, compliance and risk management measures including constant vigilance, regular employee training and targeted defensive planning based on industry and size trends.
By understanding the current threat landscape and taking proactive steps, organizations can secure their digital environments and reduce the risk of falling victim to malicious attacks.
Endnotes
1 Abrams, L.; “Rhysida Claims Ransomware Attack on Prospect Medical, Threatens to Sell Data,” Bleeping Computer, 27 August 2023
2 Palmer, D.; “30 Years of Ransomware: How One Bizarre Attack Laid the Foundations for the Malware Taking Over the World,” ZDNET, 19 December 2019
3 Weigand, S.; “Ransomware Tops Malware-as-a-Service Offered on the Dark Web,” SC Media, 15 June 2023
4 Kovrr, The Ransomware Threat Landscape H1-23, 13 July 2023
5 Ibid.
6 Coveware, Ransom Monetization Rates Fall to Record Low Despite Jump In Average Ransom Payments, 21 July 2023
7 Winder, D.; “$70 Million Demanded as Revil Ransomware Attackers Claim 1 Million Systems Hit,” Forbes, 5 July 2021
8 Rangel, M.; “Ransomware Prevention: Safeguarding Your Digital World,” Veeam, 2 October 2023
9Op cit Kovrr
Guy Propper
Is the head of data at Kovrr, a leading cyberrisk quantification (CRQ) technology and solutions provider enabling global enterprises and (re)insurers to financially quantify cyberrisk on demand. He has more than 10 years of cybersecurity experience and extensive expertise in reverse engineering, malware research and threat actor analysis. Previously, Propper was the head of the threat intelligence and deep learning group at Deep Instinct and participated as a speaker in Defcon 26.