Ransomware: Is there ever honour amongst thieves?
News has broken, in the last 6 or 7 weeks, of a significant ransomware incident deployed against Change Healthcare, a major supplier in the US health and medical sector.
The Alphv/BlackCat ransomware group is believed to be behind the attack and the American Hospital Association has described the 21 February attack as “…the most significant and consequential incident of its kind against the US health care system in history.”
The incident itself is widely reported. Its far reaching, ongoing consequences for patients, customers and health care providers are still to be completely understood.
However, a perhaps less well-known aspect of the incident are the reports suggesting that the ransomware group has shut itself down having received a ransom payment which it has failed to distribute amongst its Ransomware as a Service (“RaaS”) affiliates.
Background
Late in 2023, Alphv/Blackcat were the targets of law enforcement action and were, for a period, believed to have been seized. However, as is all too often the case, the group were relatively quickly able to set up new leak sites etc and reportedly took steps to regain the confidence of its affiliates by announcing an increase in the fees to be paid to them from received payments (i.e., ransoms).
Fast forward to February 2024 and the group appears to have regained sufficient ground to deploy a further attack.
It is a matter of speculation as to whether the victim has been chosen as an act of retaliation against those national law enforcement agencies who played a role in the seizure of just 2 months earlier.
‘Exit scam’
Change Healthcare have neither commented nor confirmed the payment of a ransom, but, if reports are correct, it seems probable that Alphv/Blackcat may have executed a successful exit scam which may allow them to disband and re-emerge under a new moniker with funds to restart their criminal work.
If the worst should happen and a company becomes the victim of a ransomware event, it is a far from easy decision for the management or board to decide whether to engage with a threat actor or not.
That decision is increasingly complicated and a further issue to be considered is whether a threat actor can be trusted to deliver on their side of the bargain to return, delete and/or provide decryption of data and systems it has compromised.
This is also all before having to navigate the key requirements of the different legal and sanctions related rules which are applicable.
Concluding remarks
As the ongoing incident in the US demonstrates, scenarios exist where threat actors scam both victim organisations and its own underground, criminal affiliates. In a situation such as that, a ransomware victim could potentially face the worst of all worlds; paying out significant sums as a ransom, but with its/its customer’s data withheld or, worse, sold/published on dark web markets. Beyond that lays regulatory investigations, damaged reputations and the potential of third-party claims and class actions.
Cyber incidents and events are stressful, often time sensitive and tricky things to navigate. As the above tale highlights, the considerations for key company decisions makers are multi-faceted and often challenging.
With the aim of helping new and existing clients with cyber risk and resilience consultancy/advisory, Zurich Insurance created Zurich Resilience Solutions (ZRS).
Today ZRS helps clients improve their Cyber Incident Response Plans and create Incident Response Playbooks with tailored actions for incident scenarios. Along with helping clients develop their cyber incident response and business continuity plans, ZRS can also help clients by running a crisis simulation of a cyber incident.
Our cyber incident response exercises are designed and personalised to test and prepare customers for the real thing. We provide realistic scenarios to test initial incident response, company cohesion and decision making. Our exercise includes an after-action review to discuss gaps and improvements to enhance incident management.
Through ZRS we are combining our decades of risk management experience with data and industry leading technologies to guide organisations on their cyber resilience journey.
Please contact me or your underwriting contacts if you would like to be put in touch with our ZRS colleagues.
