From Clinfowiki
Jump to: navigation, search

Ransomware is a type of malware (malicious software) that limits users from accessing all or part of their computer unless a ransom is paid, often in the form of cryptocurrency such as Bitcoin. Some forms of ransomware lock a computer’s screen and display a demand for payment. [1] The victim’s files remain untouched, however, and this form of ransomware can sometimes be removed without paying the attacker. [2] Newer ransomware called cryptoviral extortion encrypts a user’s files. This more advanced form of malware renders files inaccessible even if the malware is removed. [3] Thus, the victim must pay the attacker for the decryption key in order to regain access to his files.

History of encrypting ransomware

In 1989, Joseph Popp created the first known encrypting malware called the “AIDS Trojan” which was distributed on floppy disks via snail mail. This malware was limited in its design. The AIDS Trojan only encrypted the names of files and not the files themselves. Furthermore, the trojan used symmetric encryption (where the same key is used to encrypt and decrypt files) and the decryption key could be extracted from the code of the trojan. This made it unnecessary to pay ransom to reverse the effects of the trojan. [4]

The idea of using asymmetric or public key encryption was introduced by researchers Adam L. Young and Moti Yung 1996 at an IEEE symposium. [5] Actual ransomware using this scheme became increasingly common after 2005. [6] In asymmetric encryption, a different key is used for encryption (the public key) and for decryption (the private key). The public key is used to encrypt the victim’s files while the private key is known only to the creators of the ransomware. The ransomware’s effects cannot be overcome without paying for the private key. [5]

Mechanism of encryption

More recent malware such as CryptoLocker and WannaCry use a hybrid model combining asymmetric and symmetric encryption to capitalize on the strengths of both schemes. Using asymmetric keys allows the attackers to keep the private key secret. Symmetric keys allow encryption to occur more efficiently, enabling victim files to rapidly be encrypted. [7]

  1. The attacker creates a key pair. The public key is placed in the code of the malware. The private key is kept secret and known only to the attacker.
  2. When the malware is run on the victim’s computer, a random symmetric key is created locally and used to encrypt all of the victim’s files. This symmetric key is then itself encrypted by the public key in the malware and generates an asymmetric ciphertext. A message is sent to the victim with the asymmetric ciphertext and information on how to pay the ransom. The victim then sends both payment and the asymmetric ciphertext to the attacker.
  3. When the ransom is received, the attacker uses the private key to decrypt the asymmetric ciphertext to reveal the victim’s symmetric key. The symmetric key is sent to the victim.
  4. The victim then uses the symmetric key to decrypt the files. [8]

How ransomware infects computers

  • Email – Emails may contain infected attachments or links to infected websites.
  • Compromised Websites – Websites may have exploit kits which can infect a computer without any clicking. These websites contain malicious code that take advantage of vulnerabilities in software or browsers. If such a vulnerability exists (e.g., software patches that are not up to date), the exploit kit uses the vulnerability to download ransomware. [9] [10] [11] Even visiting reputable websites can expose a victim to exploit kits. For example, in 2016, malicious advertisements containing exploit kits affected The New York Times, the BBC, MSN, and AOL. [12]
  • Wormlike behavior – Certain ransomware uses a computer’s software vulnerabilities to spread throughout networks. For example, WannaCry and Petya spread via EternalBlue MS17-010. It exploited a vulnerability in Microsoft Windows operating system, specifically the network file sharing protocol Server Message Block 1.0 (SMB). This vulnerability allowed “applications on a computer to read and write to file and request services”, and the ransomware was distributed throughout local networks without any user action. Computers without the appropriate security patch were then infected and could spread the ransomware further. [13] [14]

Ransomware targets healthcare

The healthcare industry is a prime target for cyberattacks such as ransomware for many reasons.

Ease of attack

Hospital networks are quickly expanding to meet government requirements such as increased electronic health record information exchange. [15] However, the cybersecurity of these networks is not as robust as that of other industries like finance. The primary focus of healthcare IT systems is often patient care and rapid accessibility rather than cybersecurity [16][17]. In fact, it is estimated that less than 5% of hospital IT budgets are spent on security and there are often long delays before security patches are implemented [18] [19]. Hospitals are thus seen as “soft targets.”

Hospitals are more likely to pay ransom

Hospitals depend on rapid access to data in order to provide patient care. Ransomware attacks can result in compromised delivery of healthcare and lawsuits if patients suffer harm from delayed or cancelled appointments and procedures. This makes hospitals more likely to pay ransom to quickly regain access to critical and often irreplaceable data. [6] [20]

Healthcare data is valuable

Health data includes sensitive information such as social security numbers, insurance details, addresses, etc. Attackers can use this extensive information to perpetrate medical fraud and identity theft, access financial information, and extort money by threatening to reveal a victim’s personal history (15). The variety of possible criminal uses makes healthcare data valuable. A single patient’s health record can be sold on the black market for between $1.50 and $10. [21] This is up to ten times more valuable than a person’s credit card details. [22] However, this black market price of a single complete health record has actually fallen in 2016 due to the growing supply of breached healthcare data. (In 2015, the Department of Health and Human Services’ Office for Civil Rights estimates 113 million healthcare records were breached. [23] Before these large breaches, in 2012, a single record used to fetch $50 to $60 dollars. This fall in health record price has actually encouraged the number of ransomware attacks as cybercriminals need to steal more health records (or extort ransom) in order to achieve the same profit. [21]

The threat of ransomware to healthcare organizations is only expected to grow. The Verizon DBIR 2017 report showed that healthcare was the number two industry target for ransomware, behind Public Administration and ahead of Financial Services. In 2017, 72% of all malware incidents in the healthcare sector involved ransomware. [16] And the 2017 Experian Data Breach Industry Forecast report predicts that healthcare organizations will become the industry most heavily targeted by cybercriminals. [24]

Notable ransomware attacks on healthcare systems

  • February 5, 2016 – Hollywood Presbyterian Medical Center, a 434-bed acute care hospital, experienced a Locky ransomware attack and lost access to its computer systems. This caused severe disruptions and hospital staff had to rely on pen-and-paper. The systems were restored after the Hollywood Presbyterian paid the attackers $17,000 in bitcoin ransom. [25]
  • March 28, 2016 – 10 hospitals and 250 outpatient centers in the MedStar network, Washington DC were affected by ransomware, forcing a temporary shutdown of electronic health and email systems. [26]
  • March 2016 – Methodist Hospital in Henderson, KY was affected by ransomware and declared an “internal state of emergency” for five days until data was restored from backups. [6] [27]
  • March 18, 2016 – Chino Valley Medical Center and Desert Valley Hospital in Southern CA were attacked by ransomware. Affected computers and some hospital servers were temporarily taken offline in order to prevent further spread. Patient health records were not compromised but the attack caused significant disruption. [28]
  • 2017 – UK National Health Service – The WannaCry ransomware variant affected 48 UK NHS hospital trusts. Doctor’s offices were shut down, affected hospitals diverted patients to other facilities, and non-critical appointments and surgeries were canceled. [29]
  • May 2017 – The first reports emerged of ransomware compromising medical devices in US hospitals. These attacks affected Bayer Medrad Windows-based devices [30]

WannaCry: Attack on the NHS – a primary care practice perspective

--Samsun (talk) 22:51, 27 October 2020 (UTC)

On May 12th, 2017, global ransomware called WannaCry locked out over 230,000 computers in at least 150 countries, including the NHS in the U.K.[35]. Although the NHS was not the primary target, this cyber attack directly affected 34 percent of the hospital trusts and 8 percent of primary care practices, causing significant disruption to the services due to the cancellation of thousands of patient visits and operations. During this time, primary care practices, although not directly affected, had to shut down the computer system to prevent any further spread. So, the practices had to resort to manual processes of recording notes, reporting test results, and referrals, not to mention managing the disgruntled patients, the subsequent backlog it created, especially catching up with the sudden influx of test results and letters and the time spend input all of the handwritten notes into the Electronic Health Record (EHR).

It was reported that this ransomware, which exploited a known weakness in computers running Windows, could have been prevented had security updates from Microsoft were applied promptly, a robust firewall been set up on the NHS broadband network, and legacy platforms like Windows XP were updated to newer operating systems. No ransom was reportedly paid, and the malicious software was halted in the evening of the same day when an independent cybersecurity researcher inadvertently found and activated an inbuilt “kill-switch”[36]. Although a patch was released by Microsoft the following day, some primary care practices had to wait almost seven days before it was applied to their system, causing further disruption of services.

A report published by the National Audit Office[37] highlighted that though the Department of Health had a plan to deal with such a situation, this had not been tested at a local level. The NHS had also not rehearsed for such a cyberattack, which led to the initial confusion as to who would lead the response to the attack. Though the need for maintaining emergency care was identified as a priority, there was a lack of clear and timely communication with all the relevant stakeholders. It is estimated that the WannaCry ransomware attack cost the NHS £92 million, which included £20 million due to lost outputs from canceled appointment and operations, and a further £72 million to deal with the aftermath related to the recovery of the data and the restoration of the systems[38].

NHS England, in its report[35], acknowledged the inadequacies within the system and highlighted plans to strengthen NHS' cyber-security, based on the key lessons that were learned from the incident. These included developing a response plan in the event of a cyberattack and establishing the resources' roles and responsibilities. It also emphasized the need to have regular monitoring of all software, ensure that they are up to date, any critical patches are applied promptly, and ensure essential and timely communication with all relevant stakeholders. Above all, it emphasized leaders, organizations, and their staff's responsibility in taking cyber threats seriously, understanding the associated risks, and proactively taking measures to mitigate these risks.

NHS Digital produced a Data Security Standards guide, which layouts ten standards to mitigate the risk of a future cyberattack, addressing issues around the three main entities – people, process, and technology. The fundamentals of it being: People: ensure staff is equipped to handle information respectfully and safely, according to the Caldicott Principles. Process: ensure the organization proactively prevents data security breaches and responds appropriately to incidents or near misses. Technology: ensure technology is secure and up-to-date.

Also, the Department of Health and Social care reported in 2018 that the NHS would spend £150 million to bolster its cybersecurity to prevent a further cyberattack like the WannaCry[39]. A subsequent report by Comparitech[40], a company that provides consumers privacy information, tools, and comparisons, underlines a relative reduction in the number of recent cyberattacks in the U.K., which according to them, could be a result of the “effective” measures implemented to thwart another cyberattack, with increased spending on measures to improve cybersecurity, practices, and training for their staff.

Impact of ransomware attacks on health systems

Ransomware attacks in healthcare systems are extremely damaging. First they endanger patient safety by preventing access to critical information in the medical record – e.g., allergies, medication lists, lab results, treatment plans, etc. Without this information, medical care can be rendered incorrectly or delayed. [20]

Legal ramifications for hospitals

As a result of the attack, a hospital may be subject to government action under the HIPAA Security Rule. [20] [31] A ransomware attack is considered a “security incident” defined as “attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” Due to the increasing frequency of ransomware attacks, the U.S. Department of Health and Human Services released a fact sheet giving detailed guidance regarding ransomware and requirements such as reporting of security incidents. [32] This fact sheet clarified that a ransomware infection is considered a HIPAA breach, defined as “… the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which comprises the security or privacy of the PHI.” [33] Specifically, ransomware encryption of protected health information is a breach since the data “was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.” [32]

How to prevent ransomware infections

  • Keep software updated with patches and security updates – this leaves fewer vulnerabilities for malware to exploit
  • Run antivirus software and keep it up-to-date
  • Do not click pop-up windows or links in suspicious emails.
  • Back up data so that if a system becomes infected, the data can be restored.
  • Have an organizational security plan
  1. Set a companywide schedule for computers to get the latest software updates
  2. Educate employees on security awareness and data hygiene [34]


  1. Ransomware. Trend Micro. Published 2017. https://www.trendmicro.com/vinfo/us/security/definition/Ransomware.
  2. Geier E. How to rescue your PC from ransomware. PCWorld. Published April 3, 2017. https://www.pcworld.com/article/2084002/security/how-to-rescue-your-pc-from-ransomware.html
  3. Nagpal B, Wadhwa V. (2016) Cryptoviral Extortion: Evolution, Scenarios, and Analysis. In: Lobiyal D, Mohapatra D, Nagar A, Sahoo M. (eds) Proceedings of the International Conference on Signal, Networks, Computing, and Systems. Lecture Notes in Electrical Engineering, vol 396. Springer, New Delhi
  4. Wilding E., Skulason F. (eds) Virus bulletin. The authoritative international publication on computer virus prevention, recognition, and removal. Published Jan 1990. https://www.virusbulletin.com/uploads/pdf/magazine/1990/199001.pdf
  5. Young, A, Yung M. (1996). Cryptovirology: extortion-based security threats and countermeasures. IEEE Symposium on Security and Privacy. pp. 129–140. ISBN 0-8186-7417-2. doi:10.1109/SECPRI.1996.502676
  6. Zetter Kim. Why hospitals are the perfect targets for ransomware. Wired. Published Mar. 30, 2016. https://www.wired.com/2016/03/ransomware-why-hospitals-are-the-perfect-targets/
  7. Kappuswamy P, Al-Khalidi SQY. Hybrid encryption/decryption technique using new public key and symmetric key algorithm. MIS Review Vol. 19, No. 2, March (2014), pp. 1-13 DOI: 10.6131/MISR.2014.1902.01 https://pdfs.semanticscholar.org/87ff/ea85fbf52e22e4808e1fcc9e40ead4ff7738.pdf
  8. Can files locked by WannaCry be decrypted: a technical analysis. Symantec. https://medium.com/threat-intel/wannacry-ransomware-decryption-821c7e3f0a2b
  9. Crowe J. Ransomware FAQ: how ransomware infects your computer. Barkly. https://blog.barkly.com/how-ransomware-infects-computers#infection Published Sept 2016.
  10. How ransomware infects computers. McAfee. https://www.mcafee.com/us/security-awareness/articles/how-ransomware-infects-computers.aspx
  11. Ransomware FAQ. Windows Defender Security Intelligence. https://www.microsoft.com/en-us/wdsi/threats/ransomware
  12. Goodin, D. Big-name sites hit by rash of malicious ads spreading crypto ransomware. Ars Technica. Published Mar 15, 2016. https://arstechnica.com/information-technology/2016/03/big-name-sites-hit-by-rash-of-malicious-ads-spreading-crypto-ransomware/
  13. Grobman, S. WannaCry: the old worms and the new. McAfee. https://securingtomorrow.mcafee.com/executive-perspectives/wannacry-old-worms-new/ Published May 12, 2017.
  14. Burgess, M. Everything you need to know about EternalBlue – the NSA exploit linked to Petya. Wired. Published June 28, 2017. https://www.wired.co.uk/article/what-is-eternal-blue-exploit-vulnerability-patch
  15. Kruse CS, Frederick B, Jacobson T, Monticone DK. 2017. Cybersecurity in healthcare: a systematic review of modern threats and trends. Technology and Health Care 25 (2017) 1-10.
  16. 2017 Data breach investigations report. 10th ed. Verizon. http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/
  17. Bai G, Jiang J, Flasher R. Hospital risk of data breaches. JAMA Intern Med. 2017;177(6):878-880. doi:10.1001/jamainternmed.2017.0336
  18. AHC Media LLC. Hackers target hospitals with “ransomware”. ED LEGAL LETT. 2016 Apr; 27(4): also available https://www.ahcmedia.com/articles/137468-hackers-target-hospitals-with-ransomware
  19. Newman, LH. The ransomware meltdown experts warned about is here. Wired. Published May 12, 2017. https://www.wired.com/2017/05/ransomware-meltdown-experts-warned/
  20. Cohen IG, Hoffman S, Adashi EY. Your money or your patient’s life? Ransomware and electronic health records. Ann Intern Med. 2017;167(8):587-588
  21. Increase in ransomware and cyberattacks linked to fall in price of health data. HIPAA Journal. Dec 2016. www.hipaajournal.com/increase-in-ransomware-and-cyberattacks-linked-to-fall-in-price-of-health-data-8622.
  22. Chinthapalli K. The hackers holding hospitals to ransom. BMJ 2017;357:j2214
  23. 2015: the year of the healthcare data breach. HIPAA Journal. Published Dec. 29, 2015. https://www.hipaajournal.com/2015-the-year-of-the-healthcare-data-breach-8239/
  24. Fourth annual 2017 Data Breach industry forecast. Experian. https://www.experian.com/assets/data-breach/white-papers/2017-experian-data-breach-industry-forecast.pdf
  25. Winton R. Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating. Los Angeles Times. Published Feb 18, 2016. http://www.latimes.com/business/technology/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html
  26. Virus forces shutdown of Medstar Health System’s 10-hospital computer network. HIPAA Journal. Published Mar. 29, 2016. https://www.hipaajournal.com/virus-forces-shutdown-medstar-health-systems-10-hospital-computer-network-3372/
  27. Monegain B. Methodist Hospital recovering from five day ransomware attack, claims it did not pay up. HealthcareITNews. Published Mar. 22, 2016. http://www.healthcareitnews.com/news/methodist-hospital-recovering-five-day-ransomware-attack-claims-it-did-not-pay
  28. Two more Californian hospital ransomware attacks reported. HIPAA Journal. Published Mar. 23, 2016. https://www.hipaajournal.com/two-more-californian-hospital-ransomware-attacks-reported-3368/
  29. Erlanger S, Bilefsky D, Chan S. U.K. Health Service ignored warnings for months. The New York Times. Published May 12, 2017. https://www.nytimes.com/2017/05/12/world/europe/nhs-cyberattack-warnings.html
  30. Fox-Brewster, T. Medical devices hit by ransomware for the first time in US hospitals. Forbes. Published May 17, 2017. https://www.forbes.com/sites/thomasbrewster/2017/05/17/wannacry-ransomware-hit-real-medical-devices/#75b8806b425c
  31. Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-91 (1996).
  32. Department of Health and Human Services. Fact Sheet: Ransomware and HIPAA. Accessed at www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf on 26 May 2017.
  33. 45 C.F.R. § 164.302-.318 (2016).
  34. Chen, BX. How to protect yourself from ransomware attacks. The New York Times. Published May 15, 2017. https://www.nytimes.com/2017/05/15/technology/personaltech/heres-how-to-protect-yourself-from-ransomware-attacks.html
  35. W. Smart and S. House, “Lessons learned review of the WannaCry Ransomware Cyber Attack,” p. 42.
  36. N. K. O. S. in S. Francisco, “‘Accidental hero’ halts ransomware attack and warns: this is not over,” The Guardian, May 13, 2017.
  37. “Investigation-WannaCry-cyber-attack-and-the-NHS.pdf.” Accessed: Sep. 02, 2020. [Online]. Available: https://www.nao.org.uk/wp-content/uploads/2017/10/Investigation-WannaCry-cyber-attack-and-the-NHS.pdf.
  38. “Department of Health and Social Care puts cost of WannaCry to NHS at £92m,” Digital Health, Oct. 12, 2018. https://www.digitalhealth.net/2018/10/dhsc-puts-cost-wannacry-nhs-92m/ (accessed Sep. 02, 2020).
  39. “NHS to spend £150m on cyber security to bolster defences after WannaCry attack.” https://www.independent.co.uk/news/health/cyber-attacks-nhs-wannacry-security-investment-microsoft-a8327091.html (accessed Sep. 02, 2020).
  40. “Ransomware Attacks on Hospitals & Healthcare Cost $157m since 2016,” Comparitech, Feb. 11, 2020. https://www.comparitech.com/blog/information-security/ransomware-attacks-hospitals-data/ (accessed Sep. 01, 2020).

Submitted by Abigail Huang