RansomwareRansomware Activity Targeting the Healthcare and Public Health Sector

Ransomware Activity Targeting the Healthcare and Public Health Sector

Beckage is notifying organizations in the healthcare sector of a potential threat that may occur this weekend. We will continue to monitor this situation and provide updates as they occur.

Late last night the Federal Bureau of Investigations (FBI), Department of Health and Human Services (HHS), and the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about an imminent cybercrime threat to hospitals and healthcare providers. These organizations have credible information to suggest that there will be a widespread Ryuk ransomware attack this weekend. The threat is currently being investigated by the FBI, DHS and the NSA’s Cybersecurity Threat Operations Center.

What We Know

The cybercrime organization Ryuk is targeting the Healthcare and Public Health sector with Trickbot malware that may lead to ransomware attacks, data theft, and the disruption of healthcare services, a particularly concerning possibility considering the nation is still grappling with the COVID-19 pandemic.

Based on what we know about Ryuk, it is possible that the targeted healthcare entities have already implemented the encryption malware on healthcare organizations’ systems and the threat actors just have not commanded it to activate.  Given the threat, we urge all healthcare organizations to review the measures recommended by the FBI as consider some practical incident response measures.

What To Do Next

Beckage recommends that hospitals and healthcare providers implement several preventative steps to safeguard their organization including of the following measures: reviewing current incident response protocols and processes within the next 24 hours, and carefully crafting internal drafting internal and external messaging and FAQs with an experienced data breach attorney to help minimize legal risk as well as making sure employees know who to contact if they have reason to believe there is suspicious activity.

Beckage is available to discuss additional best practices that should be taken over the next 24 to 72 hours. Our team will continue to monitor this for new developments and provides updates as appropriate.  If an attack is detected and additional resources are needed, Beckage can be reached using our 24/7 Data Breach Hotline at 844-502-9363.

*Attorney client privilege. Past outcomes do not predict future results.

Subscribe to our Newsletter.

ransomwareWhat To Do If A Ransomware Incident Means Your Business Cannot Avoid Paying Ransom: OFAC Weighs In

What To Do If A Ransomware Incident Means Your Business Cannot Avoid Paying Ransom: OFAC Weighs In

While ransomware was already a growing global issue before the pandemic, COVID-19 has thrown jet-fuel on that fire.  As a result, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory statement on October 1, 2020.  The advisory specifically details the risk of sanctions related to paying a ransom and reflects the greater reality that as new wrinkles in attacks become common, including exfiltration of data for later extortion or deletion back up files, more businesses than ever are considering ransom payment.  OFAC wants your business to remember that paying ransom to certain groups is a sanctionable event.  

Beckage is very familiar with many ways to avoid paying ransom, but we remain informed of all the regulations and advisory guidance related to ransom payment.

A high-level review of a ransomware event can provide perspective on what role OFAC and its advisory mean to your business:

The Incident

Ransomware is a type of malicious software that infiltrates computer networks, locking and blocking access unless a ransom is paid.  When your business encounters ransomware, your Incident Response Plan (IRP) should direct leadership to immediately initiate contact with previously identified parties whose work is focused on just this sort of matter, including counsel such as Beckage, and your cybersecurity insurance carrier.

Common Questions

In the first minutes and hours after ransomware is detected, we hear common questions, such as: Is paying ransom a viable path forward?  Is it allowed?  And if there are no other options for remediation and restoring from backups, how is it done?

The Response to Ransom Demands

Depending on the situation, ransoms are sometimes paid.  This is not a default position, but can be the necessary and most logical step in response to a ransomware incident.  Your business does not suddenly have to figure out how to pay an unknown party the ransom; your tech lawyers will be familiar with third parties that specialize in incident response, including investigating the background of the threat actor and exploring payment.  Such a third-party will take steps to secure cryptocurrency, such as Bitcoin, for paying a ransom, work with counsel to understand how anti-money laundering laws apply to a transaction, and gauge whether the actor behind the ransomware is a sanctioned group or tied to a sanctioned group. 

OFAC’s Impact

The OFAC advisory reminds us that the U.S. Government does not qualify ransom payment as illegal, but ransom payments are not favored resolutions.  The advisory serves as a reminder of existing practices and policies:

  • Fines can follow any violation of the International Emergency Economic Powers Act (IEEPA), Trading with the Enemy Act (TWEA), Specially Designated Nationals and Blocked Persons List (SDN List) or embargoes with jurisdictions such as Iran, North Korea, and Syria. Your counsel, insurers and third parties involved in ransom. payment should all be familiar with the requirements therein.
  • Businesses are encouraged to implement and maintain a compliance program to avoid sanction-related violations, which can help mitigate civil monetary penalties in the event of a sanctions-related violation.
  • Businesses should routinely review with their insurers and brokers if and how the ransom payment process is impacted by this and any future advisory.
  • Sharing ransomware incident information with relevant government agencies, including OFAC and the FBI, is highly encouraged but not required.  Cooperation is critical to not only threat actor identification efforts, but, like a formal compliance program, can mitigate penalty in the event of an enforcement action for a sanctions-related violation.

The Result

OFAC’s advisory continues an established narrative of best practices for any company affected by ransomware, and those are the practices of our firm.  If your company finds itself under attack, look to experienced incident response lawyers, like Beckage, to help.  As noted in the advisory, “there was a 37 percent annual increase in reported ransomware cases [from 2018 to 2019] and a 147 percent annual increase in associated losses from 2018 to 2019,” and these numbers are expected to continue to rise.  By looking to experienced tech lawyers in incident response, you help your business mitigate risks associated with ransomware, including business interruption, reputational harm, and non-compliance with government standards for ransom payment.

Have your technology and incident response lawyers help establish, formalize, and update your corporate Information Security Practices and Incident Response Plan, to address legal requirements and changes in the law and to help your business avoid ransomware, or at least be fully prepared to respond to an incident.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our Newsletter.