What ransomware hackers do with data they extort and why it can be lucrative - Action News
Home WebMail Tuesday, November 26, 2024, 05:00 AM | Calgary | -17.0°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
Windsor

What ransomware hackers do with data they extort and why it can be lucrative

Data from five southwestern Ontario hospitals has been exposed in a ransomware attack. The FBI and Interpol are investigating and the hospitals say they've decided not to pay the ransom demands.

Ransomware attacks are a 'triple stream of revenue' for hackers, says tech expert

A person's hands are shown in front of multiple screens depicting computer hacking.
A hacker tries to access and alter data during a hacker convention in Nevada in 2017. (Steve Marcus/Reuters)

Hospital systems across southwestern Ontario have been offline for 11 days after a ransomware attack that has led to data being exposed online.

The FBI and Interpol are now investigating and the hospital officials involved are remaining tight-lipped.

But who are the people behind these kinds of attacks,and what are they looking to do with the data they've stolen?

Mark Sangster, chief of strategy at cybersecurity firm AdluminInc., refers to ransomware groupsas "the misfortune 500" because they operate similar to top organizations or institutions.

"They have executive structure, they do recruiting," he said.

"They compensate individuals who do good work very talented individuals. And they have a lot of resources, often backed by state sponsors in some cases foreign governments."

The five hospitals affected by the attack - located in Windsor-Essex, Sarnia and Chatham-Kentsaid Thursday that they refused to pay a ransom andsome of information connected to the attackhas been published.

The attack hasleft hospitalsscrambling without their IT systems, impacting surgeries, appointments and other services. People receiving radiation for cancercare in Windsor have had to go elsewhere for treatment.

Sangster said information isincredibly valuable to hackers, particularly health-care records.

"It's one of the most valuable and the most expensive on the dark markets and they call them fullz."

The idea here, he said, is that ransomware groups can collect your social insurance number, address, date of birth, etc., so they can then resell themand people can steal your identity.

"They can go get credit, they can get a car loan or whatever it may be. Or in the case of health care, they can often defraud the insurer. They can submit all sorts of fake claims. And then of course, they're getting the money back for those."

A report this summer by the Canadian Centre for Cyber Security warned that Russia and, to a lesser extent, Iran are acting as safe havens for cybercriminals hitting western targets. It also stated hospitals could expect to be targeted, citing a 2021 example where the health-care system in Newfoundland and Labrador was struck with a ransomware attack costing the system $16 million.

Triple stream of revenue for hackers

The southwestern Ontario hospitals have not commented on what the ransom demands were in this case.

But according to Sangster, these high-tech hackers are asking for ransoms in the millions, sometimes in the hundreds of millions.

He says that's due in large part to their triple stream of revenue.

One is the ransom they demand to restore an organization IT system.

The second is often an extortion fee to say now that they've stolen the data, it'll cost more to keep it out of the news and remain private.

The third is effectively the resale of the data, he said.

And then you have to remember you're working with criminals, according to Sangster, so even if you pay them to keep it quietthey're likely not going to honour their side of thesupposed contract.

Unfortunately, a lot of these organizations end up having no choice but to pay the ransom if they believe it's going to accelerate the time to recover the information, he said.

Mark Sangster is the chief of strategy at cybersecurity firm Adlumin Inc.
Mark Sangster is the chief of strategy at cybersecurity firm Adlumin Inc. (Amy Dodge/CBC)

The hospitals in southwestern Ontario say that they refused to pay the ransom based onadvice they received.

"Our leaders, on advice by our experts that we could not verify claims by the attacker, decided we would not yield to their ransom demands," a joint statement from the hospitals and their IT provider stated. "We are aligned in this position with the governments of 50 nations, including Canada, who have recentlypledgedto never pay ransom to cybercriminals."

The ransomware attack occurred, more than likely, according to Sangster, by an employee with administrative IT rights getting duped by a phishing lure.

He said after hackers gain access to an IT system they will key on critical things like medical imaging. Then, he added, they would detonate the ransomware and leave a tag indicating how the hospitals could contact them to negotiate an extortion fee.

Hackers threaten reputationsby selling to dark web

A technology expert from the University of Toronto says ransomware attacks immediately come with threats of extortion such as releasing private personal information to try and cause maximum reputation damage to the victims.

Daniel Tsai said the data is normally sold onthe dark web, a nefarious place where drug dealers, terrorists, criminal organizations, and syndicates canaccess illicit content and sensitive information.

"Where these hackers basically make it available for those that have the technical know-how to access the dark web," said Tsai.

A man in a room with books in the background
Daniel Tsai is a technology expert and lecturer at the University of Toronto. (Jennifer La Grassa/CBC)

And when on the dark web, the information might not be readily available in the public sphere per se, but is at the fingertips of IT experts you wouldn't want having access to your records.

"Information will be sensitive but it can cause quite a bit of grief that medical records get out into that domain, because then anyone can buy that information off the dark web and try to start to blackmail people."

The hospitals have notindicated where the data hasbeen published. They also said that, "Working with leading cybersecurity experts, we continue to investigate to determine the exact data impacted."

Staying tight-lipped 'robs us' of an opportunity to learn

Sangster said instances like the ransomware attack on the five southwestern Ontario hospitals shouldn't beabout assigning blame, rather an opportunity for other organizations to learn and avoid similar attacks in the future.

"When we keep these things really tight-lipped and we say, 'it's with law enforcement and we can't discuss this,' unfortunately it robs us with that opportunity to learn and make sure that our businesses or other hospitals, other critical care services, are not affected in the same way."

LISTEN | Cybersecurity expert talks about ransomware gangs with Windsor Morning:

What exactly is a ransomware gang? Why do they want our personal information and what do they do with it once it's stolen? We get answers from an expert.

The hospitals said they are limited in what they can reveal due to the criminal investigation.

"We will provide more information when we are advised we are in a position to do so," they said in the Thursday statement.

Anyone whose data has been breached will be notified promptly, the hospitals said.