The Reminger Report: Emerging Technologies
The Reminger Report: Emerging Technologies
Ransomware Attacks: Cybersecurity and Legal Preparedness
In this episode of the Reminger Report Podcast on Emerging Technologies, host Zachary Pyers, Esq., is joined by Kate Osterback, a rising 3L at Ohio State University Moritz College of Law, to discuss the pervasive and escalating threat of ransomware attacks. Kate, who developed an interest in this topic after being personally affected by the Change Healthcare ransomware attack, provides a deep dive into the mechanics of ransomware, its history, and its devastating impact on the healthcare sector.
Key Discussion Points:
- Understanding Ransomware
- Change Healthcare Attack
- Legal and Jurisdictional Challenges
- Prevention and Preparedness
- Practical Advice for Law Firms
ZBP Zachary B. Pyers, Esq.
KO Kate Osterback
| ZBP | Welcome to the special edition of the Reminger Report Podcast on Emerging Technologies. My name is Zach Pyers and I am here today joined by one of our law clerks, Kate Osterback. Did I pronounce that correctly?
| KO | Yeah.
| ZBP | Okay. Great. And she’s been with us over, for the last several weeks, and today she is joining us on a special topic that she has chosen, Ransomware Attacks. Kate, if you would first, tell us a little bit about yourself and then if you would, tell us how you decided to choose this topic.
| KO | Of course. I am a rising 3L Ohio State University Moritz College of Law. I’m originally from Washington State, but before law school, spent some time working in government and public policy, which really got me interested in big problems that often require big solutions. I think ransomware is one that fits into that category, but I specifically encountered it really for the first time this past Spring. I was affected by the Change Healthcare ransomware attack that I would imagine many people are familiar with. It impacted – they estimate one in three Americans. It changes a company that connects to a lot of different insurers, providers, pharmacy providers, all sorts of things. And I was in a computer crime class at the time, and shows ransomware, that was the topic of my paper, and before I knew it, I had done a deep dive into the world of ransomware, and now I’m one of those people that loves talking about it and wants to make sure everybody knows about it.
| ZBP | We’re quite happy to have you today and happy to have you talking about it. So if you would, before we kind of jump in and I’m sure a lot of our listeners and viewers for that matter who have heard of the term ransomware but may not necessarily have a great grasp on it, could you kind of explain why, you know, what ransomware is, why it’s such a big deal and especially how it’s you know you mentioned the attack in the Spring, why it’s a big deal for the healthcare sector.
| KO | Yeah, of course. So, first off, I’ll admit I’m not a tech expert. I have no background in computer science, so anyone out there who does, I request your grace but hopefully that means I’ll be able to explain things in a way that a lot of different folks can understand. So ransomware is a type of malicious software that gets installed on someone’s computer or their system. A lot of folks have heard of computer viruses or Trojan viruses. Ransomware is usually a type of a Trojan virus. It existed for quite a long time. The very first ransomware attack occurred in 1989. The malicious software was actually loaded on floppy disks, you know the big ones that --
| ZBP | Right.
| KO | -- we used to have. And they were mailed to attendees of a world health organization conference. They gathered a bunch of Aids researchers and someone decided to target this group of people, mailed these disks, said, you know, put this in your computer, install this program, you’ll have access to this huge dataset, this new dataset about folks with Aids. So folks all over the world did this and when they ran that program, a screen popped up that essentially locked their whole computer. They couldn’t get passed it. They couldn’t log in. They couldn’t access anything on their computer. And the message said to receive the code to unlock the computer, mail money – this amount of money to this address. So that was the first time that we know of that ransomware occurred. And essentially, that form of ransomware, if it’s installed on your computer, it’s like your whole computer is put in a safe and then the safe is locked and you don’t know the code, and the only way to get that code is to engage with the person who has created the software. Recently it’s become much more sophisticated with the advent of encryption which many of us encounter the idea of encryption when it comes to keeping our data safe, may be our text messages, you know, apps like Signal or WhatsApp, talk about how they encrypt data so only the people on the messages are able to read it. So the current and the modern forms of ransomware typically enter people’s computers through emails. Email attachment is still the most common way for things to happen, though occasionally the bad actors can remote into systems, access them virtually or remotely, and install them directly. But these new forms of ransomware, rather than placing your whole computer in a safe and just locking that one code, it’s as if they have put every single file in your computer in its own safe with a different code. That’s what the encryption does. Rather than just locking the computer, they’ve encrypted every single little bit of data that they have access to. So even with the most powerful computers that we have now, they estimate it would take millions of years for them to be able to run encryption software on most of the variance of ransomware that are around. So that’s where we are now and that’s the type of ransomware that was installed and run on the Change Healthcare system this past Spring and why it caused so much damage.
| ZBP | So, you mentioned now the Change Healthcare attack. Tell us what happened and then why should we, as lawyers or you know other people of the legal field that may be listening, why should we be concerned?
| KO | Yeah. It’s, it’s a big concern. It’s one of those things where even if you think it didn’t impact you, it certainly impacted someone that you know well. Someone you know or love has been impacted by this. So Change Healthcare is a subsidiary of United Healthcare, which folks may be much more familiar with. They’re one of the larger insurance companies. So Change specifically deals with the go between, between healthcare providers and patients. That’s the simplest way to explain what they do. But one of the biggest services that they provide, and that is mostly what they do, is provide services or software for healthcare providers, insurance companies, to navigate the healthcare system. Their most commonly used product goes between providers and pharmacies and insurance companies. So if you go to a pharmacy to fill a prescription, the pharmacy computers have to talk to the insurance company computers and rather than do that directly, our healthcare system has created the role of middlemen that fill that role. So Change Healthcare’s programs or software takes the requests for the prescription from the pharmacy and moves it over to the healthcare company, the insurance company. So they process it, they do what they do, then that same system moves it back to the pharmacy. That’s largely what they do. They also provide, by some estimates, they may have about 120-130 different products that do things like search out bad actors, help evaluate out of network coverage requests – all sorts of different aspects of the system, but they’re all independent products that they sell to different folks. So what happened, a hacking group called BlackCat/ALPHV – the hacking groups have very inscrutable names, I don’t know where it came from – orchestrated an attack against Change. So they were able to get into the system and within less than a week, Change had to essentially shut down their entire operation because they were unable to isolate, remove or backup their system. Their only option was to take everything offline. So that link I illustrated between pharmacy and insurance companies completely went away, from doctors’ offices to insurance companies, completely went away. Their coverage in the industry is so large no one actually knows what their market share is, but by some estimates between 60 and 70 percent of all healthcare transactions run through at least one Change Healthcare platform. And all of that went away for at least a month and some places closer to two months, depending on the product. So essentially once the ransomware was applied on Change’s system, they did what – as again a newer development in ransomware – they didn’t just encrypt the data on the Change system, they also exfiltrated it, is what they call it in this industry, where basically they removed a bunch of data before they encrypted it. So not only did they prevent Change Healthcare from accessing their own systems, the hackers also retained a copy of an unknown amount of data that they were able to remove from the system. So in a sense it was two ransoms. They wanted a ransom to unlock the Change system and then a ransom to not release their data on the dark web or wherever they may choose to, sort of the equivalent of getting a severed finger on your doorstep if you want to talk about some Mafia metaphors. They started slowly trickling out some of the data to prove they have it, and by all accounts a ransom was paid. There is public transactions in a Bitcoin wallet, about 350 Bitcoin, about $22,000,000 that it’s believed that Change paid to the hackers and still did not get everything unlocked and did not get everything back. So it’s an extremely messy case. I think I mentioned earlier one in three Americans it’s estimated was directly impacted by this. I was. I wasn’t able to get a pharmacy benefit. I had to pay a lot more for a prescription one month because of, while this was going. And I’m just one person with one prescription. They’re still doing the math but they think – we’re talking multi-billions of dollars have been lost already and the end still isn’t quite in sight. So as attorneys, it’s really easy to imagine so quickly how this would make our jobs difficult whether you’re an attorney for one of these healthcare companies, for a provider for a hospital that you know can’t process claims and can’t pay their bills, for a patient that hasn’t gotten care, for a patient that where their data has been lost. And this is just one industry, one company and one industry. So it’s, it’s a big problem. It’s a big, big problem and there’s lots of reasons that attorneys, people in the legal field, should be really concerned by what happened here.
| ZBP | Well, obviously one of the things that we do here at Reminger and we do a lot of it is civil litigation which means we are pursuing people in court for damages. What makes it so challenging to go after the ransomware attackers in court? Both either from a civil aspect or, you know, from a criminal aspect?
| KO | It’s really difficult. Part of what makes it difficult is how quickly the technology changes and evolves. Secondarily, these ransomware groups, these malicious actors, they aren’t just in the United States. They’re everywhere. You know, we’ve all heard stories about ransomware attackers or other computer hackers affiliated with Nation States. You have China and Russia is what gets talked about a lot these days. Attacks on the U.S. government, that kind of thing. Ransomware is the same way. It is the same way. These folks are everywhere and nowhere, which makes jurisdictional issues of all kinds a nightmare. An absolute nightmare. Very easy to envision scenarios where if you have a hacker, maybe you identify one but they’re in a country that we don’t extradite from, or you have a bad actor in one country, their servers are in another country. Possibly they’re using a virtual private network to appear as if they’re in a completely different third country and then attack is targeted in a fourth county. It just – the jurisdictional issues just start to spiral as you imagine these scenarios. But what’s also made it complicated is, there’s this idea, that’s now old fashioned frankly, this idea that these bad actors, these hackers are, you know, losers in sweatpants, in their mom’s basement, you know, listening to weird music and, you know, hacking away on their keyboard all night, and that’s just not true anymore. Frankly, professionalism has advanced in ways that I was shocked to learn when I was doing my research that new, the new version of ransomware is often referred to as ransomware as a service, RAAS. So what it’s done is it really democratized access to ransomware tools. Folks have started to specialize. So maybe you have some folks that really like creating ransomware code. They really are good at writing the code that can be deployed in a system, runs encryption well. They’re very good at it. Maybe they’re less good at hacking into systems. Gaining access to computers or systems or networks that they shouldn’t be in. So what folks started to figure out, similar to Henry Ford and his assembly line, is that if folks specialize in what they’re good at, the attacks, the information gathering, frankly the profits become a lot quicker and a lot larger. So now we have folks developing these tools and then they will turn around and, you know, lease, sell, whatever it is to the folks that have access to these systems. So maybe, maybe you cracked a computer system, let’s say a law firm which is also becoming increasingly common that legal organizations are being targeted. So I have the access to the system. I don’t know how to write ransomware code. I don’t, you know, I never learned all the things about encryption. Well, in the dark web I can connect with folks that are excellent at that and for a percentage of what I make, let me use their product. There was a company – it actually was a company based overseas that I used this model – they were first discovered in 2016. They had about 160 participants at the time and they actually created a platform for you to launch ransomware attacks from. So if you paid to access the system, you can launch it, you can monitor it, the company would provide tech support, you know, answer questions about how things were going, and in exchange, they would keep 60 percent of whatever profits you made. So despite the fact that – they estimate about less than one percent of victims paid. But the company was on track to make almost $3,000,000 by the end of 2016. And that’s just what we know, that’s the other thing (unintelligible because of background interference). Decentralization of the ransomware makes it just so, so difficult to figure out who has even done this. And if you don’t know who to go after, you know it’s, it is impossible to do anything for it. So, the opaqueness of the entire operation, besides the jurisdictional issues, makes it really, really complicated.
| ZBP | Now what were you, and obviously I know we’ve talked about that you’re not a computer science expert, but what are some of the measures that you know you can suggest to clients to help them avoid ransomware attacks?
| KO | Yeah. What I took away from all my research was that we all have to shift how we think about this. This is no longer an if, it’s a when. For institutions of all sizes. You know, you may think you’re a small fish, it doesn’t matter. You know, if they can catch lots of small fish, they can still turn a profit. So we all have to start switching our mindset and assuming that we will be targeted by ransomware. Every organization should be thinking that way. And once you switch to that mode of thinking, there is a type of protection, an approach to protection, that’s often referred to as the Swiss cheese model. The idea you think of - any type of technological protection, cyber protection, as a piece of Swiss cheese. It’s going to have some holes in it. Every, every possible angle you can take for cyber protection has some strengths, has some weaknesses. But if you layer lots of types of protection, lots of layers of Swiss cheese, eventually you’ve got all those holes covered. So the idea is that no one thing can save you, but if you’re proactively stacking lots of layers of digital Swiss cheese, you can prevent the vast majority of attacks from happening. For example, the Colonial Pipeline attack that occurred in 2021 where one of the major gas pipelines in the Southeast was hit with a ransomware attack and it shut down the pipeline for a few days at least, say maybe up to a week. The hackers gained access, they obtained an old BP and virtual private network login from an employee who no longer worked for the company but that person’s login had never been deactivated. And it was on a legacy system that did not require to factor authentication, so no text message, no authenticating act. So once they had the password, they were in and that was that. So, one of the most important things and maybe you heard this about everything, complicated passwords, the two-factor authentication is huge. If they’d had that completely utilized at Colonial Pipeline, that attack wouldn’t have happened. So that’s a really simple thing. You can initiate their – another thing is just ongoing training of your employees, to make sure they’re detecting – that they have an eye for when things might be fishy. So, you know, even here at our firm we have the software that captures emails that thinks might be suspicious. Has a server review them before they can be approved to go into our inbox. But some companies even deploy targeted, sort of fake, spam emails to employees to test them. That is a way to see how good are your employees. What kinds of things are fooling them. Are there certain, you know, departments that are struggling with this more than others? You know, just semi-regularly testing, testing your folks knowledge, just like a fire drill. You can think about it like a fire drill. And obviously, all sorts of security options on the server and network side of things. But one of the big, big things that would have made a huge difference for Change Healthcare is routine, regular and complete backups of your entire system. So one of the problems is that Change was unable to restore their system. They didn’t have a backup. They just had to take everything offline. If they had had a recent complete backup, they could have essentially wiped their existing system and restored it completely from that backup. So when we’re talking about backups here, we’re talking about servers that are going to be offsite. Not connected to the same network. As isolated as possible. Then that way, if your main system is infiltrated, worse case scenario, you just wipe that, you back it up from that copy that you’ve made. And you may lose, you know, some things, a few days, whatever. Organizations have different protocols. But if Change had had that, they would have been able to restore their programs much, much sooner because they’re racing. The data would have removed the ransomware from the system and you assume your backup copy’s clean and that would have eliminated a ton of work, a ton of damage, would have put them just miles and miles ahead of where they ended up being in terms of damage control and restoring full functionality.
| ZBP | And what should organizations do because we talked about them, I mean I think you’ve talked about the prevalence of ransomware attacks, how they’re increasing, how they’re affecting more and more people, you know, large organizations, individuals, small organizations, and everywhere in between. What should organizations do to prepare for if or when they get hit with a ransomware attack?
| KO | Yeah. Again, just assuming that it’s going to happen will go a long way. I know that’s not, you know, fun or positive news. A little bit of the sky is falling. Sort of a feeling when you start to think that way, but it really does put you at an advantage. You’re not caught, you know, from a position of defense if something happens if you’re on the offense. So again that fire drill, fire drill model. And even specifically talking about law firms, there was a survey done for this last year and 39 percent of law firms they talked to reported that they had had a security breach that they knew about. So that those are the folks that know that something had happened, and of those folks, 56 percent reported they lost confidential client data which we all know is a huge, huge problem in so many ways. And the average ransom for folks that were willing to admit they paid one was over $1,000,000. So there are real world implications that we can quantify for law firms specifically. So you know advising clients is always its own thing but you know it starts at home. If we’re not being careful with our firms, you know, how are we supposed to advise our clients. So the recommendations for being prepared when it happens, having a response team in place. If you find out something has happened, who do you call? Who do you bring online? Do you have a clear contracting organization? Clear tech experts that you bring in from outside the firm to help you start problem solving? How do you communicate with clients that may have their information lost, damaged, anything like that? So in many ways running a, sort of, you know, scenario, a problem solving exercise if you will, and just stepping through what could happen. Really, it’s just being prepared. It’s knowing who’s in charge. Who needs to be talked to. Having, you know, compliance folks ready to be able to brief people on what implications might be. You know, compliance looks different, cross different industries, different types of businesses and clients. So, yeah, just having those conversations. Going back to that fire drill analogy. Making sure you have a safety captain. Making sure your exits are marked. Making sure people know what the route is to get out of the building and doing that, you know, same thing digitally. Making sure that folks know where servers are. Who has access to them. If your tech person is out of the office, what’s the back up plan. Just treating it as we do now for preparing for an earthquake, or you know, an active harmful intruder. Having some sort of ransomware plan should be thought of in that same category of risks to be prepared for. But, finally there is cyber insurance that is available. There are companies that specialize in providing coverage for these types of attacks. They can be insured to cover costs, maybe it’s ransomware payments, data recovery, legal expenses. These policies are still fairly new. Not as tried and tested as other forms of insurance, other types of policies in the industry, but it is an option. And for larger entities or for folks that really do have a lot of secured data doing a cost benefit analysis, it might make sense if the policy has the right types of coverage should something happen. But ultimately it just comes down to being prepared. Just assume it’s going to happen and have a plan in place. You know, clear communication, knowing what your proactive steps are going to be, knowing who’s in charge because the faster you act, the less damage they can do as well.
| ZBP | Right. Kate, I really appreciate you taking the time to talk to us today about ransomware attack, especially the recent one on Change Healthcare network. Thank you for joining us and being with us tonight. We really appreciate it.
| KO | Thanks for having me. I enjoyed it.