Double extortion ransomware and patient data protection

With access to a network and holding data for ransom, it’s no surprise that ransomware is one of the most pressing and diabolical threats faced by cybersecurity teams. Causing billions in losses around the world, it has stopped critical infrastructure like healthcare services in its tracks, putting the lives and livelihoods of many at risk.

To better understand how ransomware attackers think, what they value and how they approach applying the most pressure on their victims to get payment, Rapid7 recently released a report titled ‘Paint Points: Ransomware Data Disclosure Trends’, revealing insights on the data that threat actors prefer to collect and release.

The report investigates the trend pioneered by the Maze ransomware group, of “double extortion”, examining the contents of initial data disclosures intended to coerce victims to pay ransoms.

Threat actors have upped the ante by using double extortion as a way to inflict maximum pain on an organisation. Through this method, not only are threat actors holding data hostage for money, but they threaten to release that data (either publicly or for sale on dark web outlets) to extract even more money from companies.

The report identified the types of data attackers initially disclose to coerce victims into paying ransoms, highlighting how leaked data differs by threat actor group and target industry.

One of the more interesting results was a clearer understanding of the state of ransomware threat actors. It’s essential to know your enemy, and this analysis can pinpoint the evolution of ransomware groups, what data the individual groups value for initial disclosures and their prevalence in the market.

Heightened risks for health care

When it comes to the healthcare and pharmaceutical industries, there are some notable similarities that set them apart from other industries. For instance, internal finance and accounting files showed up most often in initial ransomware data disclosures for healthcare and pharma than for any other industry (71%), including financial services (where you would think financial information would be the most common).

After that, customer and patient data showed up more than 58% of the time — still very high, indicating that ransomware attackers value this data from these industries in particular. This is likely due to the relative amount of damage (legal and regulatory) these kinds of disclosures could have on such a highly regulated field (particularly health care).

All eyes on IP and patient data

Intellectual property (IP) disclosures in healthcare settings are different compared to pharmaceuticals — the healthcare industry focuses mostly on patients, so it makes sense that one of its biggest data disclosure areas would be personal information, but the pharma industry focuses much more on research and development than it does on the personal information of people. In pharma-related disclosures, IP made up 43% of all disclosures. Again, the predilection on the part of ransomware attackers to “hit ’em where it hurts the most” is on full display here.

Finally, different ransomware groups favour different types of data disclosures, as our data indicates. For customer and patient data, REvil took the top spot with 55% of its disclosures containing such data, with Darkside behind them at 50%. Conti and Cl0p followed with 42% and 40%, respectively.

Security recommendations

There is no silver bullet to the ransomware problem, but there are silver linings in the form of best practices to help you protect against ransomware threat actors and minimise the damage, should they strike. This report offers several suggestions aimed around double extortion, including:

• Going beyond backing up data and including strong encryption and network segmentation.
• Prioritising certain types of data for extra protection, particularly for those in fields where threat actors seek out that data to put the hammer to those organisations the hardest.
• Understanding that certain industries will be targets of certain types of leaks, and ensuring that customers, partners and employees understand and are prepared for the heightened risk of disclosures of those types of data.

Image credit: ©stock.adobe.com/au/A Stefanovska