What ransomware hackers do with data they extort — and why it can be lucrative

CBC
·5 min read
A hacker tries to access and alter data during a hacker convention in Nevada in 2017. (Steve Marcus/Reuters - image credit)
A hacker tries to access and alter data during a hacker convention in Nevada in 2017. (Steve Marcus/Reuters - image credit)

Hospital systems across southwestern Ontario have been offline for 11 days after a ransomware attack that has led to data being exposed online.

The FBI and Interpol are now investigating and the hospital officials involved are remaining tight-lipped.

But who are the people behind these kinds of attacks, and what are they looking to do with the data they've stolen?

Mark Sangster, chief of strategy at cybersecurity firm Adlumin Inc., refers to ransomware groups as "the misfortune 500" because they operate similar to top organizations or institutions.

"They have executive structure, they do recruiting," he said.

"They compensate individuals who do good work … very talented individuals. And they have a lot of resources, often backed by state sponsors — in some cases foreign governments."

The five hospitals affected by the attack -— located in Windsor-Essex, Sarnia and Chatham-Kent — said Thursday that they refused to pay a ransom and some of information connected to the attack has been published.

The attack has left hospitals scrambling without their IT systems, impacting surgeries, appointments and other services. People receiving radiation for cancer care in Windsor have had to go elsewhere for treatment.

Sangster said information is incredibly valuable to hackers, particularly health-care records.

"It's one of the most valuable and the most expensive on the dark markets and they call them fullz."

The idea here, he said, is that ransomware groups can collect your social insurance number, address, date of birth, etc., so they can then resell them and people can steal your identity.

"They can go get credit, they can get a car loan or whatever it may be. Or in the case of health care, they can often defraud the insurer. They can submit all sorts of fake claims. And then of course, they're getting the money back for those."

A report this summer by the Canadian Centre for Cyber Security warned that Russia and, to a lesser extent, Iran are acting as safe havens for cybercriminals hitting western targets. It also stated hospitals could expect to be targeted, citing a 2021 example where the health-care system in Newfoundland and Labrador was struck with a ransomware attack — costing the system $16 million.

Triple stream of revenue for hackers

The southwestern Ontario hospitals have not commented on what the ransom demands were in this case.

But according to Sangster, these high-tech hackers are asking for ransoms in the millions, sometimes in the hundreds of millions.

He says that's due in large part to their triple stream of revenue.

One is the ransom they demand to restore an organization IT system.

The second is often an extortion fee to say now that they've stolen the data, it'll cost more to keep it out of the news and  remain private.

The third is effectively the resale of the data, he said.

And then you have to remember you're working with criminals, according to Sangster, so even if you pay them to keep it quiet they're likely not going to honour their side of the supposed contract.

Unfortunately, a lot of these organizations end up having no choice but to pay the ransom if they believe it's going to accelerate the time to recover the information, he said.

Mark Sangster is the chief of strategy at cybersecurity firm Adlumin Inc.
Mark Sangster is the chief of strategy at cybersecurity firm Adlumin Inc.

Mark Sangster is the chief of strategy at cybersecurity firm Adlumin Inc. (Amy Dodge/CBC)

The hospitals in southwestern Ontario say that they refused to pay the ransom based on advice they received.

"Our leaders, on advice by our experts that we could not verify claims by the attacker, decided we would not yield to their ransom demands," a joint statement from the hospitals and their IT provider stated. "We are aligned in this position with the governments of 50 nations, including Canada, who have recently pledged to never pay ransom to cybercriminals."

The ransomware attack occurred, more than likely, according to Sangster, by an employee with administrative IT rights getting duped by a phishing lure.

He said after hackers gain access to an IT system they will key on critical things like medical imaging. Then, he added, they would detonate the ransomware and leave a tag indicating how the hospitals could contact them to negotiate an extortion fee.

Hackers threaten reputations by selling to dark web

A technology expert from the University of Toronto says ransomware attacks immediately come with threats of extortion — such as releasing private personal information — to try and cause maximum reputation damage to the victims.

Daniel Tsai said the data is normally sold on the dark web, a nefarious place where drug dealers, terrorists, criminal organizations, and syndicates can access illicit content and sensitive information.

"Where these hackers basically make it available for those that have the technical know-how to access the dark web," said Tsai.

Daniel Tsai is a technology expert and lecturer at the University of Toronto.
Daniel Tsai is a technology expert and lecturer at the University of Toronto.

Daniel Tsai is a technology expert and lecturer at the University of Toronto. (Jennifer La Grassa/CBC)

And when on the dark web, the information might not be readily available in the public sphere per se, but is at the fingertips of IT experts you wouldn't want having access to your records.

"Information will be sensitive but it can cause quite a bit of grief that medical records get out into that domain, because then anyone can buy that information off the dark web and try to start to blackmail people."

The hospitals have not indicated where the data has been published. They also said that, "Working with leading cybersecurity experts, we continue to investigate to determine the exact data impacted."

Staying tight-lipped 'robs us' of an opportunity to learn

Sangster said instances like the ransomware attack on the five southwestern Ontario hospitals shouldn't be about assigning blame, rather an opportunity for other organizations to learn and avoid similar attacks in the future.

"When we keep these things really tight-lipped and we say, 'it's with law enforcement and we can't discuss this,' unfortunately it robs us with that opportunity to learn … and make sure that our businesses or other hospitals, other critical care services, are not affected in the same way."

LISTEN | Cybersecurity expert talks about ransomware gangs with Windsor Morning:

The hospitals said they are limited in what they can reveal due to the criminal investigation.

"We will provide more information when we are advised we are in a position to do so," they said in the Thursday statement.

Anyone whose data has been breached will be notified promptly, the hospitals said.

  • Up next
  • Up next
  • Up next
  • Up next

Latest Stories