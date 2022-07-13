Ransomware continues to plague the internet’s security landscape. As its name describes, ransomware doesn’t work like so many other malicious software attacks. Other tactics include overburdening systems with so much information that their intended services are disrupted, or where data is stolen to be abused or resold on the dark web. Ransomware is a special kind of criminal endeavor where a hacker gains access, like they’d need to in order to deploy other types of attacks, but then it gets a little more interesting albeit still quite damaging.
With ransomware, the criminals initiate their cyber-attack similarly to those other hacking crimes. They play on our ignorance, laziness, and ineptitude. We users still don’t know enough about information security and privacy vis-à-vis everyday computer and technology usage to be good, effective defenders. Sometimes, even when we do know better, we’re too lazy to put up good defenses—I’m looking at you, “Password123.” I know, I know … Who wants to create, regularly change, and remember or securely store complicated passwords? On a broader scale entire commercial systems are configured and managed by “experts” who haven’t taken the time or exerted the effort to stay abreast of security tactics. The worst offenders combine laziness and ignorance and just skate through their workaday without genuine care over the systems they manage.
In the face of those and countless other security shortcomings smattering everyday users’ practices, the bad guys chomp at their bits. When they opt for ransomware, they leave your information—banking and healthcare records, online activities, photos and other media files—where it rests within your computer or phone. However, once they gain access to that information because they, unlike us, are full of initiative, zeal, and the most up-to-date ways to attack, they hold it for ransom.
It’s true. They take all that information and encrypt it so that you can no longer access, use, or sometimes even see it. Then, if you pay the ransom, you get a key that decrypts it. You may think that afterwards it’s back to normal. Too often the hackers simply take the ransom and run. Other times they pass along the key, and then come back and do it all over again knowing how easily you were duped. Other less than savory results occur, honor amongst thieves being what it is.
Things really get wonky when the ransomware purveyors are more than mere criminals. It’s one thing to be hacked with ransomware by an angst-ridden scofflaw, or some mission-driven hacktivist that plies their trade toward, in their minds, just ends. There is a special breed of scariness built into hackers who are state-sponsored.
North Korean hackers have been attacking healthcare organizations in America with ransomware. The malware is known as “Maui,” which as a self-described latent Hawaiian is quite offensive. All things, literally, until now associated to the Aloha State are beautiful, pure, and forever desirable—okay, the exorbitant costs of travelling to and living in Hawaii are obscene; the overly protected areas we haoles are prohibited from visiting seem like outdated policies; the discrepant wealth patterns of native-born Hawaiians as compared to those with more colonial lineage nears abhorrence. Mostly, though, very little can be said negatively about it.
Maybe that’s why in their forever cheeky-cum-offensive manner the DPRK hackers named this malware Maui. No matter its etymology, Maui is a problem. The FBI’s Cyber Division brings it into scope. Because healthcare organizations operate in the forum of saving lives, arguably as critical an endeavor as anything in modern times, criminals pray on that vulnerability. They then hunt down the systems’ vulnerabilities. Those healthcare targets are more likely to pay the ransom. You might even read it as a duty pursuant to the Hippocratic Oath, one modern, popular version including, “I will respect the privacy of my patients….”
An industry borne account of the problem of North Korean hacking teams levying Maui on hospitals found something unique in that Maui is not robotically or automatically casting about. Maui, unlike most large-scale ransomware attacks, is being done manually. That gives the Kim dynasty a special advantage, and allows Maui to be more nimble and to morph easily if defenses are created after continual use.
Tragically, for the healthcare entity victims, there is yet another layer of risk according to the government because of Maui’s creators and its North Korean pivot point. By paying the ransom demanded, hospitals may get sanctioned under tenets of the Treasury Department’s laws against contributing to foreign assets of regimes that are political foes of the U.S.
That’s right, a hospital first endures costly and frankly scary circumstances when its systems are compromised by the ransomware. Medical devices, treatment data, patients’ privacy and care are all at risk the moment the malware becomes active. Then, if they can even muster up a plan to pay off the attackers, doing so lands them in hotter water still. Incidentally, insurance is unlikely a solution due to the North Korean underpinnings and related limitations within cyber insurance policies.
What might the industry do? The FBI advises that if any such HPH (Healthcare and Public Health) Sector organization gets attacked, there are allowable steps to take. Don’t pay, first off. So, there’s the first delay in returning to normal, healthy operations; not that anyone’s eager to pay, what with the lack of confidence that by doing so normalcy would return. Second, report the ransomware to federal government agencies, such as the FBI or to the Cybersecurity and Infrastructure Security Agency. There’s more delays, bureaucracy being what it is. Finally, the government charges victims to fully, languidly cooperate with law enforcement.
How many patients, and to what extent, can Maui and its highly confined responses harm? It’s unknowable. Scan back above, then, and work on the ignorance, laziness, and ineptitude issues if you happen to have a nexus with HPH security.
Ed is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at edzugeresq@gmail.com
