It may not be wise to count on criminals to self-regulate.
That is one implication of a new CyberPeace Institute blog researching ransomware groups whose wares have been used in attacks on healthcare facilities since May 2020. Of the 39 groups they have tracked, 12 had previously issued statements saying they would not target healthcare.
CyberPeace Institute tracks healthcare attacks on their Cyber Incident Tracer (CIT) #HEALTH site.
Some healthcare facilities may have been hit by accident — a strike on a university hospital when actors thought they were targeting a university. Others may have been a single affiliate working against the wishes of the ransomware platform or a platform that itself does not care. Bernhard Schneider, an analyst with the institute who wrote the blog post, told SC that, in the end, it does not really matter.
"Even if such a mistake does happen, and they did provide the decryption key, the hospital's still out of work. Many of its systems are still disrupted for weeks afterwards," Schneider said. "Even if there is no malicious intent behind it, even if you provide the decryption key, the damage is done."
LockBit, which hosts documents from the second-highest number of healthcare victims of the groups profiled on its leaks site, claims not to allow affiliates to target healthcare.
Healthcare can make a tempting target for ransomware actors, who are keenly aware of the life or death stakes a medical facility would face not paying a ransom. The FIN12 affiliate group profiled by Mandiant are known to target healthcare, and CyberPeace Institute found five ransomware platforms that had explicitly released statements saying they would target healthcare or promoted them as a target in their forums.
Ransomware groups have made claims about which victims they will and will not allow typically after high-profile incidents threaten to bring law enforcement down upon them. After the Colonial Pipeline attacks, for example, DarkSide announced it would no longer allow its affiliates to target critical infrastructure. DarkSide shut down in the fracas following the Colonial attack only to relaunch as BlackMatter, a group whose affiliates CyberPeace Institute says have targeted healthcare despite policies against it.
Ransomware is often framed as a brand reputation industry, given that victims will not pay ransoms to groups who will not return data. But there is no such risk being a brand that does not self-regulate effectively.
"Any claims by ransomware groups that they will not target a specific sector are completely worthless," said Allan Liska, a ransomware expert with Recorded Future. "Ransomware actors have shown over and over again that money rules above all else and they will go after any target that is profitable."
Schneider noted that the potential divide between a ransomware platform's wishes and its affiliates' practices demonstrates some of the dangers of viewing the ransomware industry as a group of single actors rather than a complex economy.
"One of the things that the ransomware operators provide for their affiliates and also one of the reasons why they take such a big share for essentially just maintaining the ransomware is they give these ransomware affiliates a scapegoat," he said. "If law enforcement goes after the ransomware operator, that operator might be dismantled, but an affiliate can just wander off to the next operator and use them as an umbrella."
