It's the old story of supply and demand meets innovation curve. Pity the poor hacker competing with state agencies and data brokers like Experian (yes, the same folks whose "free credit monitoring services" are offered as palliative to those victimized by high-profile database hacks) openly cashing out personally identifiable information they've collected. As the selling price of personally identifiable information (PII) declines—bank loan applications go for as little as $.50 cents each (depending on purchase volume) in the unregulated data brokering marketplacei—professional purveyors of purloined PII have become more innovative in how they monetize their activities.
In addition to data brokers, consider the competition a hacker faces from states like Pennsylvania that depend on revenues from the sale of citizen PII contained on driver's licenses (name, address, birthdate, driving record: sold for $9 per individual) as a source for millions of dollars in revenueii. Selling hacked PII on the deep web is like a giant reverse auction in which the sheer volume of acquired identity information drives down price, meanwhile without legally enforceable contracts to guarantee payment on product (identities) provided. Little wonder that holding data hostage through encryption, rather than stealing it for resale, is one of the emerging top cyber threats in 2016. Whereas Symantec observed about 1,000 attacks per day in 2015, it observed 4,000 per day in January 2016iii. Clearly, the word (and tools and techniques) are getting out among the hacker community. And with pre-packaged ransomware (e.g., CryptoLocker/Cryptowall) kits available for as little as $3,000iv the profit/risk ratio is very attractive.
When choosing a victim, the logical hacker must calculate both willingness and capacity to pay. Individuals (and organizations) in certain countries are known for being more open to paying ransom. For example, 50% of Americans reporting in one study said that they had paid ransom, versus only 33% of Germans and 14% of Danes. Not surprisingly, "21.2% of all ransomware-infected emails sent globally target the US, with the UK and France coming second and third, with 9.1 percent and 3.85 percent."v Combine that individual willingness to pay with the mission of maintaining patient wellbeing and existence of sufficient funding, and attacks on hospitals become reasonable. The threat of disrupted medical care service delivery convinced Hollywood Presbyterian Hospital executives to pay hefty "data restoration" fees—$17,000—in February 2016 when staff could not access systems. MedStar Health in Maryland was hit in early April with a $19,000 ransom.
Hospitals that refuse to pay may face the reputation loss of having sensitive patient information posted online, as was the case with Labio (UK). After management refused to pay the 20,000-pound demand, hacker group Rex Mundi posted patient test resultsvi.
The guys in the white hats (not white coats) are fighting back, however. Perpetrators of the Locky ransomware variation, reported as infecting up to 100,000 computers per day earlier this year, proved hackable. "Pranksters have infiltrated the control system behind the infamous Locky ransomware and replaced the malware’s main payload with a dummy file." The 12K replacement file delivers the message "Stupid Locky," rather than anything executablevii.
Meanwhile, those of us who are not knowledgeable about hacking techniques (regardless of hat color) can thwart would-be data kidnappers and hostage takers. Back up valuable data assets to an offline location. Disrupt that profit model. Don't be susceptible to hackers putting the squeeze on you or your organization.
iGregory Maus (24 August 2015), "How Corporate Data Brokers Sell Your Life, and Why You Should Be Concerned," The Stack. Retrieved from https://thestack.com/security/2015/08/24/how-corporate-data-brokers-sell-your-life-and-why-you-should-be-concerned/
iiJohn Shumway (3 May 2016), "Lawmaker Introduces Bill To Stop PennDOT From Selling Personal Information," CBS. Retrieved from http://pittsburgh.cbslocal.com/2016/05/03/lawmaker-introduces-bill-to-stop-penndot-from-selling-personal-information/
iiiGreg Otto (29 April 2016),"Ransomware Attacks Quadrupled in Q1 2016," FedScoop. Retrieved from http://fedscoop.com/ransomware-attacks-up-300-percent-in-first-quarter-of-2016
ivLiviu Arsene and Alexandra Gheorghe (2016), "Ransomware: A Victim's Perspective," Bitdefender. Retrieved from http://www.bitdefender.com/media/materials/white-papers/en/Bitdefender_Ransomware_A_Victim_Perspective.pdf?awc=2873_1462563986_efb08a3c5f2a6fad1a05f27e7396c44a
vArsene and Gheorghe.
viDISSENT (17 March 2015), "As Threatened, Rex Mundi Dumps Labio Patients’ Diagnostic Test Results," Data Breaches. Retrieved from http://www.databreaches.net/as-threatened-rex-mundi-dumps-labio-patients-diagnostic-test-results/
viiJohn Leyden (5 May 2016), "Suck On This: White Hats Replace Locky Malware Payload With Dummy," The Register. Retrieved from http://www.theregister.co.uk/2016/05/05/locky_ramsomware_network_hacked/