Ransomware is becoming a psy-ops assault on healthcare executives

COMMENTARY: In the military, it’s called a “psy ops” campaign: efforts to get inside the heads of adversaries and make them anxious and fearful.

The latest wave of ransomware attacks likewise has a psychological aspect. The aim is not just to steal or compromise data. There’s now an extra layer of bullying and harassment that can make ransomware incidents emotionally devastating.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

It’s not uncommon for ransomware bandits to send taunting emails to healthcare executives designed to fray their nerves during the ongoing negotiations. In some cases, bad actors are even directly contacting patients — the fastest way to spread fear and reputational damage across an entire health system.

Ransomware incidents are inherently stressful, and threat actors know that ratcheting up the stress on key decision-makers can lead to swifter success. It’s not difficult to learn the identities of hospital CEOs and CFOs, thanks to networking sites like LinkedIn. Once the cyber criminals make a connection, they wear down the executives with emails like this: “We know that you’re racking up a lot of expenses due to IT overtime, regulatory penalties and paying your forensics team. That’s going to add up to six or seven million dollars, so why don’t you pay us our $1.2 million and we can go our separate ways?”

Today’s threat actors aren’t gentlemanly criminals like the jewel thieves seen in movies. Another psychological ploy is to start breaking things immediately to get the full attention of hospital leaders. By being destructive from the get-go, executives’ nerves are frayed long before they experience the added stress of dealing with stern regulators and an alarmed public.

I recently consulted on a case where ransomware attackers didn’t use the typical read-me file or a flashy wallpaper change to announce the attack. Instead, they sent out emails to the entire executive team and began to taunt and bully them.

Ransomware 2.0 getting more destructive

Ransomware attacks used to rely heavily on data encryption, but now only about 25% of them do. A recent study found that attacks are now likely to include:

Another recent study found that nearly half of ransomware attackers now threaten to file reports with the HHS’s Office for Civil Rights.

The study also confirmed what we’ve known for a long time: cyber criminals usually break their promises. About 40% of hospitals that get hit fail to recover all their data. Either the decryption tools the attackers provide don’t work properly, or the thieves just take off without offering any recovery tools.

Healthcare facilities that get hit repeatedly with ransomware are often juggling too many security tools that don’t integrate well, leading to serious blind spots. Simply put, there’s no “single pane of glass” uniting all these tools when they’re needed most.

But an even bigger problem is that many hospitals aren’t fully utilizing the tools they’ve implemented. For example, a facility might purchase Security Tool A, yet only make use of 75% of its capabilities. That creates a need for Security Tool B and so on. Soon the hospital has more security tools than its staff can effectively monitor.

Steel yourself for psychological warfare

Both hospital IT teams and executives need to brace themselves for the new wave of ransomware attacks that are getting increasingly malicious and nerve-wracking. Don’t expect it to be a picnic because the attackers are intentionally trying to elevate stress levels in order to achieve their goals faster.

It’s important to remember that harassment and bullying are now baked in to every ransomware attack. These are proven psychological ploys — and the best way to rebuff them is to have a ransomware response plan in place long before the intimidation begins.