The Ransomware Files Podcast
by Jeremy Kirk, Executive Editor, Information Security Media Group
Health-ISAC Chief Security Officer, Errol Weiss, adds some background to this discussion on Ransomware.
If there are two industry verticals where launching a ransomware attack isn’t even close to a fair fight, it’s those against schools and hospitals. Schools deliver education. Hospitals deliver medical care. Both are essential services that – especially after the last two years of the Covid-19 pandemic – do not need any more interruption. This podcast follows the awareness and response to a Ryuk Ransomware attack on Rockford Public School District 205 in Rockford, Illinois on September 5th, 2019.
Link to podcast: (Note, Errol’s part comes at 32:29)
Ryuk recently popped up in the news in a curious legal action. In April 2022, Microsoft’s Digital Crimes Unit announced that it had gone to federal court to get an order that allowed it to take control of domains associated with a botnet called Zloader. A botnet is a network of computers that are infected with a specific type of malware and can be controlled remotely. Cybercriminals who run botnets use the networks for all sort of nefarious purposes, from stealing data to using them as proxies for other cyberattacks. The court allowed Microsoft to take control of 65 domains that Zloader’s operators used to control the botnet.
The court also gave Microsoft control over more than 300 other domains that its operators could potentially use to regain control over their botnet. Microsoft also named an alleged operator of Zloader, a guy named Denis Malikov, who lives in Crimea, part of Ukraine that Russia unlawfully annexed in 2014.
So, a little background on Zloader. Zloader is malware that was often spammed out to potential victims. Once it had infected a computer, it served as a foothold for malicious hackers to upload other harmful code onto the computer, including ransomware. It was also really capable malware in its own right and could steal authentication credentials, cookies from browsers and interfere with online banking sessions. Zloader’s lineage traces back to infamous banking malware known as Zeus or Zbot, which emerged around 2006. The code for Zeus leaked in 2011, and it became the basis for malware that still circulates today.
To strengthen its request to the court, Microsoft needed to show the harm that Zloader was causing. In the court documents, there’s a declaration from Errol Weiss, who is now chief security officer for the Health Information Sharing and Analysis Center, or Health-ISAC. Health-ISAC helps health care organizations shore up their cybersecurity. Before that role, Errol was a security executive at the financial institution Citigroup and before that, a penetration tester with the National Security Agency. He’s given affidavits before for civil cases filed that were aimed at stopping the Zeus, Citadel and Shylock botnets. With Zloader, Errol’s declaration focused on the effects of Ryuk on the health care industry.
Errol Weiss: “The attacks can be devastating, as we talked about, back in 2020, into 2021, rising cases of COVID 19, hospitals over capacity trying to treat seriously ill patients, and then now they’re dealing with this ransomware attack that’s happening, and then the consequences become even more dire. A modern hospital relies on IT systems to run all aspects of that business as you could imagine. So if you interrupt IT services, you’re inevitably going to have a negative impact on patient care.”
Errol’s declaration to the court cited impacts that Ryuk had on patient care. In one example, a Ryuk infection forced ambulances to divert and cause a 90-minute delay in emergency care. Another infection disrupted the delivery of chemotherapy for cancer patients. Ryuk infections forced other hospitals to cancel elective procedures, delayed lab results and caused delays in scheduled maternity and oncology appointments. The gang or affiliates of the gang also leaked sensitive patient data, including clinical data and diagnoses for hundreds of thousands of people. Errol says that making schools and health care institutions more resilient against ransomware isn’t trivial.
Errol Weiss: “Ultimately, properly securing enterprise networks is incredibly complicated, it’s challenging. And then of course, it changes every single second. It’s extremely difficult to adequately protect any kind of enterprise network without proper investments. So the question I would ask a listener, I would say, are you spending about 10% of your relative IT budget on security? And if you’re not, it’s probably not enough.”