Threat Management, Malware, Ransomware

WannaCry and Hollywood hospital ransomware attacks crossed a line for some cybercriminals

The ransomware infection that disrupted Hollywood Presbyterian Medical Center in 2016 and the worldwide WannaCry attack in 2017 caused an ethical and philosophical rift among members of the Russian and Eastern European cybercriminal community, according to a new report.

Based on an analysis of dark-web chatter conducted by Flashpoint and Anomali, both of these ransomware incidents crossed a line with certain cybercrime forum administrators and members, causing them to condemn the attacks and in at least one case even call for the banning of ransomware. Others showed no mercy, asserting that ransomware is a lucrative business, and the end justifies the means.

Those who disavowed or showed distaste for ransomware following the attacks often did so for one of two key reasons: the potential of causing actual physical harm to individuals, and the negative impact that ransomware incidents could have on their future business prospects.

Concerns over causing physical harm emerged after the February 2016 Hollywood hospital attack, which disabled computer systems at the medical facility, affecting daily operations and forcing administrators to transfer some patients elsewhere.

According to the report, a "majority" of the Russian and Eastern European cybercriminal community condemned the attack, with one reputable member of a top-tier Russian cybercrime forum declaring, “From the bottom of my heart, I sincerely wish that the mothers of all ransomware distributors end up in the hospital, and that the computer responsible for the resuscitation machine gets infected with [the ransomware]…”

However, others were unmoved, with one forum member arguing that, ultimately, the attack worked, as the hospital paid the $17,000 (or 40 bitcoin) ransom.

The May 2017 WannaCry attack also triggered a new round of ethical debates. But on a more pragmatic level, cybercriminals also expressed concern that ransomware attacks were become too high-profile and could ultimately damage their other revenue streams.

"We're digging our own grave," lamented one threat actor, who suggested prohibiting ransomware from cybercriminal forums. Nearly half of the responses to this comment – 48.5 percent – were in favor of such a ban.

This same actor said that high-profile ransomware attacks were motivating companies to improve their security measures and improving the public's awareness of information security issues. He (or she) also complained that ransomware "kills malware tools predicated on loaders, js (javascript execution), doc macro (payloads) etc., as these get blocked everywhere.”

The individual also griped that the ransomware business lacks sophistication, noting that it's "built not on intelligence and mental dexterity, but on brute-force and luck.”

Researchers also observed cybercriminals expressing concern that ransomware attacks could easily inflict damage on organizations in Russia and other former Soviet nations comprising the Commonwealth of Independent States (CIS). If that happens, Russian authorities could crack down heavily on local cybercriminal forums, which experts say are normally left alone as long as CIS assets are not impacted.

Again, not all forum members agreed, with one threat actor calling one's use of ransomware, including who gets victimized, a personal decision.

“There is only one rule: don't target Russia," the actor said.

The WannaCry and the hospital attacks were not the only incidents to create a divide between cybercriminals. "The NotPetya ransomware outbreak also contributed to the rift due to its significant impact on Russian individuals and institutions," said Vitali Kremez, director of research at Flashpoint, in an email interview with SC Media.

Kremez suggested that the WannaCry and NotPetya attacks could even impact how cybercriminal forums operate moving forward.

"By and large, the WannaCry and [NotPetya] ransomware attacks will likely cause underground administrators to more strictly enforce the rule about not targeting Russia in regards to ransomware sold on Eastern European underground forums," continued Kremez, who authored the report along with Anomali's director of security strategy Travis Farral. "Ransomware may also continue to fall under scrutiny within cybercrime communities if it attracts the attention of the Russian government and causes that government to increase measures to monitor and collect telecommunications data from such communities.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.