🎁 'Tis the season to support public service journalism Donate Now

Hacking hospitals: ransom notes and dark web chatter from health-care extortionists

Scott Tong May 14, 2020
Heard on:
Dan Kitwood/Getty Images

Hacking hospitals: ransom notes and dark web chatter from health-care extortionists

Scott Tong May 14, 2020
Heard on:
Dan Kitwood/Getty Images

Say you run a hospital, and you get hacked. You lose access to your patient database — say, the records for who has COVID-19 and how you’re trying to keep them alive — and the bad guys say if you pay, you’ll get your data back.

What do you do?

Increasingly, hospitals find themselves subject to ransomware attacks, according to warnings from the United States and United Kingdom governments, Google and Microsoft.

These facilities tend to be cybersecurity laggards, often running older Microsoft Windows software that the tech giant no longer supports. That makes them vulnerable, and the hackers know it. Hackers also know that hospitals have more at stake than ever during the coronavirus pandemic. In theory at least, hospitals are willing to pay up to keep their vital data intact.

At the center of these attacks is the ransom note, a number of which have been leaked online. What do they say? Some notes employ straightforward, just-the-facts prose.

AzoRULT ransom note. Source: Intsights

This one’s direct and transactional: Your files are locked. Here’s how you pay us to fix it. No one gets hurt.

Other notes strike analysts as more diabolical. Imagine the Joker, smirking behind the monitor, as he taps out this one. It’s from the March 2020 Netwalker attack on the Champaign-Urbana Public Health District in Illinois.

“Your heart rate has increased … move away from the computer and accept that you have been compromised.”

Netwalker ransom note. Source: Intsights

In the end, the hackers got $300,000 in ransom.

Then there’s the turn-up-the-pressure variety, threatening to inflict more pain on a hacked organization the longer it dillydallies. Below, the so-called Jigsaw attack group pastes in the image of the movie supervillain with the same name.

Jigsaw ransom note. Source: Trend Micro

“I want to play a game with you … every hour I select some of them to delete permanently.”

Jigsaw ransom note

The Jigsaw attackers threaten to delete more of the victim’s data as time goes by. Note the tick-tock timer in the bottom left.

In our reporting, we also came across a sampling of communication from the hacking underground, of tools and chatter among attackers and merchants. Experts tell us all the cybertools to carry out an attack are available to buy “off the shelf” on the dark web. No experience necessary.

One tool is a snappy-looking website that looks exactly like a popular URL but is actually meant to lure people into clicking a malicious link. This one’s a dead ringer for the popular Johns Hopkins COVID-19 site.

AZOrult malware. Source: Intsights

The dark web is also a meeting place for malware buyers, sellers and collaborators. This next message serves as a personals ad for villains. The person posting is seeking partners in crime, and he/she offers up a brief skill-set bio: Has access to networks. Can infect computers. Targets big and small companies. Offers a 50-50 split of the pot.

Dark web screenshot. Source: Intsights

This messenger even assumes a certain moral code, if you can call it that.

“Before you talk about ethics I’m not using ransomware on individual people I’m targeting large companies and government agencies.”

Finally, there’s an underground marketplace for data. Fraudsters steal individuals’ data and may offer to give it back for ransom, but sometimes they simply sell it online. For $20, this “merchant” offers what’s known as a fullz: an all-in-one package of name, address, date of birth, Social Security number and credit card data. $20. Click to Buy Now.

Hacked data for sale, screenshot. Source: Terbium Labs

There’s a lot happening in the world.  Through it all, Marketplace is here for you. 

You rely on Marketplace to break down the world’s events and tell you how it affects you in a fact-based, approachable way. We rely on your financial support to keep making that possible. 

Your donation today powers the independent journalism that you rely on. For just $5/month, you can help sustain Marketplace so we can keep reporting on the things that matter to you.