TLP White: This week, Hacking Healthcare is dedicated to aggregating and analyzing the whirlwind of recent ransomware developments in both the public and private sector. In addition to breaking down what has been happening, we cite new guidance and recommendations and provide our thoughts on how these developments have been helpful or unhelpful in addressing the ransomware issue.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)
Welcome back to Hacking Healthcare.
Ransomware has had no trouble maintaining the spotlight as high-profile incidents have continued to mount over the past few weeks. Government authorities and private sector organizations are scrambling to address the increasingly dire situation, and the speed by which the overall situation is evolving can make it easy to miss critical developments. With this in mind, we have dedicated this edition of Hacking Healthcare to examining recent ransomware developments, assessing their impact to the private sector, and highlighting a number of recommendations H-ISAC members may find valuable.
We start with the Biden administration. The administration has made cybersecurity a priority issue area and has found no shortage of critical cybersecurity incidents to respond to. Despite the timing coinciding with the Colonial Pipeline ransomware attack, the administration’s recent cyber-related executive orders on Russian interference, supply chain challenges, and cybersecurity were tailored primarily as a response to prior incidents like SolarWinds and were less focused squarely on the issue of ransomware. However, in the past few weeks the Biden administration has taken numerous steps towards addressing the unrelenting wave of ransomware.
Department of Justice
The Department of Justice (DOJ) has been especially active in this area.
Ransomware Task Force: As we briefly covered in an earlier edition, an internal DOJ memo was issued in late April that announced the formation of a ransomware task force. The memo recognized that ransomware was not only a growing economic threat, but also a threat to the health and safety of American citizens. It has been reported that this memo will lead to improved intelligence sharing across DOJ, the creation of a strategy that targets every aspect of the ransomware ecosystem, and a more proactive approach overall.
Ransomware Elevation: The aforementioned strategy and approach was partially unveiled at the beginning of June when it was reported that further internal DOJ guidance was circulated that gave investigations of ransomware attacks a similar priority to terrorism. The move requires ransomware cases and investigations to be centrally coordinated with the ransomware taskforce in Washington, DC in order to ensure that the best possible understanding and operational picture can be created for the various stakeholders involved in ransomware incidents.
Ransom Recovery: When Colonial Pipeline paid the ransom demand in Bitcoin, many assumed the perpetrators and the money were as good as gone. However, an FBI-led operation was able to seize $2.3 million in Bitcoin paid out in the ransom. The FBI allegedly tracked the movement of the ransom funds on a publicly visible Bitcoin ledger and then gained access to the virtual account where most of it ended up.
Outside of DOJ, US Cyber Command (CYBERCOM), whose mission is to “Direct, Synchronize, and Coordinate Cyberspace Planning and Operations – to Defend and Advance National Interests – in Collaboration with Domestic and International Partners,” also has a role to play in responding to ransomware threats.
Hearing: In a virtual hearing last Friday, Gen. Nakasone, dual hatted as both the head of CYBERCOM and the director of the NSA, declined needing new authorities to go after cybercriminal groups. He stated that he thinks he has “all the authorities I need to be able to prosecute intelligence-wise against these adversaries outside the United States.” However, specifically speaking about ransomware, he relayed that the real challenge, and the one that the Biden administration is working through, is how to share and coordinate intelligence and action with various public and private stakeholders while also determining who is taking the lead on overall efforts. 
Guidance – CISA: Rising Ransomware Threat to OT Assets: The elevated importance of ransomware has also led to the publication of additional guidance from the government, including a CISA fact sheet entitled, Rising Ransomware Threat to Operational Technology Assets. The three-page document gives an overview of the ransomware threat, specifically to OT assets, and then outlines actions organizations should take to prepare for, mitigate, and respond to ransomware.
Private Sector Developments
There have also been a few notable ransomware developments pertaining to the private sector in recent weeks. Unfortunately, these developments have tended to be more negative rather than positive. High-profile ransomware attacks continue to result in multi-million-dollar ransom payments, and the US Congress has been highly critical of how the private sector has responded to incidents.
IST Ransomware Task Force (RTF): The RTF, a group of ~60 experts from both the public and private sector, released an 81-page report that provides a detailed and thorough framework for combatting ransomware. This document should help educate individuals on the nuances of ransomware while also providing practical and actionable policy actions.
Brought together by the Institute for Security and Technology (IST), the RTF includes representation from major technology firms like Microsoft and Amazon; cybersecurity organizations like Rapid7, Palo Alto Networks, the Cybersecurity Coalition, the Cyber Threat Alliance, and the Global Cyber Alliance; and government organizations like the U.K. National Cyber Security Centre (NCSC) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
JBS & CNA: JBS, One of the largest meat processors in the United States, recently became one of the next high-profile ransomware incidents after Colonial Pipeline. The attack had wide-spread impacts, as JBS operations in Australia, Canada, and the US were all reportedly affected. Ultimately JBS paid a ransom of roughly $11 million with the intent of ensuring the perpetrators did not steal company data.
However, that payment pales in comparison to the nearly $40 million that the insurance organization CNA Financial Corp. reportedly paid out to “regain control of its network after a ransomware attack.” While that attack appears to have occurred in March, details of the ransom payment only became public in late May.
Congress Voices Disapproval: In a congressional hearing last week, lawmakers repeatedly engaged with Colonial Pipeline CEO Joseph Blunt on the way they responded to their ransomware incident. Some Lawmakers asserted that voluntary Transportation Security Administration cybersecurity reviews were refused by Colonial Pipeline, with Rep. Bonnie Watson Coleman (D) stating: “Delaying these assessments for so long amounts to declining them, sir.” Others took issue with the pipeline’s decision not to immediately reach out to DHS and CISA or accept their assistance in recovery operations. A few congressional members went so far as to question if voluntary cybersecurity standards and a “hands-off” approach to critical infrastructure was still tenable.
Action & Analysis
Tuesday, June 15th:
– No relevant hearings
Wednesday, June 16th:
– Senate – Committee on Homeland Security and Governmental Affairs: Business meeting to consider the nominations of Jen Easterly, to be Director of the Cybersecurity and Infrastructure Security Agency, Department of Homeland Security, and Chris Inglis, to be National Cyber Director.
-House of Representatives – Committee on Homeland Security: Cyber Threats in the Pipeline: Lessons from the Federal Response to the Colonial Pipeline Ransomware Attack
Thursday, June 17th:
– No relevant hearings
International Hearings/Meetings –
– No relevant meetings
Conferences, Webinars, and Summits –
Contact us: follow @HealthISAC, and email at firstname.lastname@example.org