TLP White: This week, Hacking Healthcare begins by breaking down the wildlife threat to critical infrastructure and reminding organizations to ensure they have back-up plans in place for unanticipated service outages. Next, we dive into the world of ransomware once again to highlight not just the resurgence of attacks in 2021, but also some bold and dangerous new tactical developments. Finally, we wrap up with a look at a major new report outlining a framework to combat ransomware that may provide the strategic insight needed to counter this growing threat.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)
Welcome back to Hacking Healthcare.
1. Beavers Bring Internet Blackout
Roughly 900 internet customers in British Columbia unexpectedly lost service for 36 hours last week. The cause was not an earthquake, fire, snowstorm, malicious cyberattack, or inadvertent mistake on the part of the network operator. The culprit of the unexpected outage turned out to be a beaver.
Canadian network operator Telus reported the incident as a “very bizarre and uniquely Canadian turn of events.”[1] An investigation of the outage led a Telus service crew to discover “extensive” fiber-optic cable damage buried underground in multiple locations caused by a beaver chewing through both the 4.5-inch thick conduit and the fiber-optic cable itself for material to add to its home.[2] Addressing the cable carnage ultimately required specialized equipment to diagnose the extent of the issue and repairs were made more challenging by the partially frozen ground conditions.
Unexpected animal-induced events that impact critical infrastructure are not as uncommon as you might think. Cris Thomas, a cybersecurity researcher, spent several years hosting a site dedicated to compiling power cuts caused by wildlife. While his ‘cybersquirrel’ project was ended in 2019, the site is still operational and geolocates over 2,500 incidents globally.[3][4] Some of the more eventful incidents that were cataloged include 12,000 individuals negatively impacted when a slug shutdown a Japanese railway, and the tens of thousands of dollars of damage to Australia’s National Broadband Network’s (NBN) cable infrastructure caused by curious cockatoos.[5][6]
While rural areas are more likely to encounter internet service disruptions due to the unanticipated actions of wildlife, even organizations in traditionally stable and reliable urban locations are occasionally affected by inquisitive squirrels or birds. Additionally, unlike a temporary loss of power, where back-up generators may be able to keep critical operations running for a time, internet service disruptions don’t often have any kind of alternative.
Action & Analysis
**Membership required**
2. Ransomware Operators Becoming Bolder and More Dangerous
Just in from our “Are we sick of this yet?” department, we bring you more on ransomware and some new developments that are particularly worth highlighting for their boldness and the seriousness of their implications.
To set the scene, it’s worth noting that the most recent report from ransomware aggregator Coveware suggests that ransomware is surging again after a slight dip in Q4 of 2020.[7] Their Q1 2021 report that was just released states that the average ransomware payment has jumped 43% from last quarter to $220,298, while the median ransom payment has jumped 59% from last quarter to $78,398.[8] Furthermore, the number of ransomware attacks that involved a threat to leak data jumped from 70% in Q4 2020 to 77% in Q1 2021, suggesting that threats of data leakage are further solidifying into common practice.[9] Lastly, while email phishing and RDP compromise continue to dominate the attack vectors for ransomware, Q1 2020 saw a significant increase in incidents arising from software vulnerabilities, a trend worth watching as we roll into Q2 2021.[10]
While the increases noted by Coveware would be worrying enough by themselves, a few recent ransomware cases deserve their own specific breakdown. These cases highlight the continuing evolution of the ransomware threat and further underscore the need to tackle this problem.
First, U.K. rail network operator Merseyrail was reportedly hit by a previously undisclosed ransomware attack. We know of the attack because the ransomware gang appears to have compromised Merseyrail’s own email system to send correspondence to employees and news organizations about it.[11] The email alleged that Merseyrail had downplayed a ransomware attack and that employee and customer data had been stolen.[12] Included in this correspondence was an image of personal information allegedly belonging to a Merseyrail employee.
Secondly, there was the disturbing revelation of the Babuk gang’s attack on the Washington D.C Metropolitan Police Department (MPD). After infiltrating the MPD network, the Babuk operators allegedly were able to obtain 250GB of data, including highly sensitive information such as police officer disciplinary files and the detailed information of police informants.[13] The Babuk gang then demanded $50 million to make this problem go away and threatened to contact gangs with information on the police informants if payment wasn’t received within 3 days.[14]
The MPD has been working through the incident with the FBI and the details of the resolution are not currently known. However, in an interesting turn of events only days after the attack, the Babuk gang announced they were shutting down their operations.[15] In some final correspondence, the group stated that the MPD attack “was our last goal.”[16]
Action & Analysis
**Membership required**
3. IST Ransomware Framework
Speaking of the IST report, this more strategic-minded document lays out a detailed and comprehensive strategic framework for tackling ransomware. The report is highly accessible to a wide range of audiences, including those not experts in ransomware or cybersecurity, and it helpfully outlines the issue, the actors involved, and the various challenges associated with ransomware.
The 81-page report is the culmination of considerable work from over 60 experts in both the public and private sector, brought together by IST, including representation from major technology firms like Microsoft and Amazon, cybersecurity organizations like Rapid7, Palo Alto Networks, the Cybersecurity Coalition, the Cyber Threat Alliance, the Global Cyber Alliance, and government organizations like the U.K. National Cyber Security Centre (NCSC) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
The report recognizes the evolution of ransomware from criminal annoyance to “serious national security threat and public health and safety concern,” and acknowledges that no silver bullet will solve this complex global collective security issue.[17] The report focuses on five ‘priority recommendations’ which all tie into government actions domestically and internationally. These recommendations call for coordinated diplomatic and law enforcement actions, aggressive whole of government responses, cyber response and recovery funds, and better regulation of the cryptocurrency sector.
As for the framework itself, the report is organized around the four goals, “deter ransomware attacks through a nationally and internationally coordinated, comprehensive strategy; disrupt the ransomware business model and reduce criminal profits; help organizations prepare for ransomware attacks; and respond to ransomware attacks more effectively.”[18] The IST report asserts that these “interlocking and mutually reinforcing” goals must be done in conjunction to be effective.[19]
Each of these goals is broken down in significant detail in the report, complete with specific action items for various stakeholders. Organizations should be encouraged to know the overall approach is grounded in a realistic appreciation of the difficulties ransomware creates, and the freely available document is an excellent resource for those looking for a holistic understanding of the issue.
Action & Analysis
**Membership required**
Congress –
Tuesday, May 4th:
– No relevant hearings
Wednesday, May 5th:
– House – Committee on Homeland Security: Hearing: Responding to Ransomware: Exploring Policy Solutions to a Cybersecurity Crisis
Thursday, May 6th:
– No relevant hearings
International Hearings/Meetings –
– No relevant hearings
EU –
– No relevant hearings
Conferences, Webinars, and Summits –
Contact us: follow @HealthISAC, and email at contact@h-isac.org
[1] https://www.cbc.ca/news/canada/british-columbia/beaver-internet-down-tumbler-ridge-1.6001594
[2] https://www.cbc.ca/news/canada/british-columbia/beaver-internet-down-tumbler-ridge-1.6001594
[3] https://cybersquirrel1.com/
[4] https://www.bbc.com/news/technology-38650436
[5] https://www.bbc.com/news/world-asia-48729110
[6] https://www.bbc.com/news/world-australia-41857761
[7] https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound
[8] https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound
[9] https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound
[10] https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound
[11] https://www.bleepingcomputer.com/news/security/uk-rail-network-merseyrail-likely-hit-by-lockbit-ransomware/
[12] https://grahamcluley.com/merseyrail-ransomware/
[13] https://arstechnica.com/information-technology/2021/04/ransomware-attack-on-dc-police-threatens-safety-of-cops-and-informants/
[14] https://arstechnica.com/information-technology/2021/04/ransomware-attack-on-dc-police-threatens-safety-of-cops-and-informants/
[15] https://www.bleepingcomputer.com/news/security/babuk-ransomware-readies-shut-down-post-plans-to-open-source-malware/
[16] https://www.bleepingcomputer.com/news/security/babuk-ransomware-readies-shut-down-post-plans-to-open-source-malware/
[17] https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force-Report.pdf
[18] https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force-Report.pdf
[19] https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force-Report.pdf