Could double extortion prompt a public health crisis?

Ransomware actors targeting Australia’s most prominent healthcare insurer have taken the gloves off. 

After Medibank refused to pay a ransom for the return of data belonging to 9.7 million customers this October, the hackers started to selectively leak sensitive data as a punishment for non-payment.

The ransomware gang, which the Australian Federal Police believe is based in Russia, began by releasing a list of women who had undergone pregnancy terminations, says the BBC. Since then, the group has released data on patients with public personas, those undergoing treatment for addiction, and those suffering from chronic illnesses, including heart disease, diabetes, and asthma.

This nasty brand of “double extortion” – a term referring to the exfiltration of stolen data after it’s encrypted – could have dire implications for organizations everywhere that are determined not to pay the ransoms that fund the continued efforts of these criminal groups.

In both the U.S. and Australia, authorities recommend not paying out ransoms to these groups, as they say it has the net effect of undermining national security. (It may soon not even be legal do so in Australia)

"Cyber criminals cheat, lie and steal. Paying them only fuels the ransomware business model. They commit to undertaking actions in return for payment, but so often re-victimise companies and individuals," one Australian MP wrote on Twitter.

But the threat of double extortion may increase the urgency with which organizations shell out payments to avoid lawsuits, reputational damage, and the loss of customer trust. This in turn would guarantee that these groups are well-funded enough to continue operating in pursuit of additional revenue. 

If ransomware payments were to be made illegal, would citizens ultimately be risking their privacy to punish criminal groups, many of whom operate outside of their own borders, on behalf of their governments?

Like most internet-enabled problems, double extortion is a global one. In its 2022 State of Ransomware report, the Zscaler ThreatLabz research team found that incidents of double extortion increased by 117% between February 2021 and March 2022. In no sector was the rise steeper than healthcare, which reported a staggered 643% rise in these types of attacks. 

Double extortion’s unintended consequences

Officials discussing the Medibank breach worry that it could undermine Australian citizens’ willingness to undergo healthcare procedures. 

"These are real people behind this data and the misuse of their data is deplorable and may discourage them from seeking medical care," Medibank CEO David Koczkar said. 

Those considering medical assistance for substance abuse issues, for instance, may think twice if they are unsure that information will remain private. In countries where abortion is an especially hot-button social issue, releasing information about individuals who have undergone such procedures, even to prioritize their own well-being, could put patients’ physical safety at risk. Business and political leaders at all levels of society would run the risk of having their medical histories weaponized against them. 

It’s also easy to see how this tactic could be applied similarly against holders of proprietary intellectual property, sensitive financial details like debt obligations, or political dirt. Any ransomware actors willing to resort to double extortion, in any industry, would likely be able to strike fear into victims by threatening the release of some type of stolen sensitive information.

Tactics like double extortion stress why preventing ransomware actors from moving unfettered through a network in search of valuable data is critical to limiting the damage they cause.

“For me, these exploitative tactics drive home the importance of limiting the lateral movement of cybercriminals who are able to find some crack in an organization’s defenses,” said Zscaler CISO - APJ Heng Mok. “We need to ensure that a single social engineering attack or misconfigured cloud instance doesn’t act as the keys to an organization’s entire kingdom of sensitive data. In general, outcomes can be improved by adopting defense-in-depth principles and increasing visibility to reduce the mean time to respond.

Organizations must work to reduce their attack surfaces, shielding applications from the open internet. They need to place a premium on identity and context as the basis for granting access to everything, and then factors must be re-evaluated with every access request. They must prevent lateral movement at all costs. 

“Zero trust principles work to reduce the attack surface to limit what attackers can work with,” Mok said. 

Of course, Koczkar is right to point out that paying a ransom is no guarantee that it won't be published. A recently floated idea about using a digital equivalent of the Red Cross to deter attacks against healthcare providers – hoping that it would act as a cyber equivalent of not attacking medics in combat zones – is asking for too much honor among thieves. 

Instead, robust cyber defenses and a collective approach to security should be paired with aggressive prosecution of those who would undermine our public health and cause ordinary citizens to live in fear of what criminals may do with their most personal and private data. 

What to read next

For the sake of its cybersecurity, Australia must come together

A CISO's perspective on ransomware payment