Daily Archives: August 25, 2016

Could Criminals Make A Billion Dollars With Ransomware?

Cybercrime_UnicornCould Criminals Make A Billion Dollars With Ransomware?

Bitcoin has not only changed the economics of cybercrime by providing crooks with an encrypted, nearly anonymous payment system autonomous from any central bank. It’s also changed researchers’ ability to track how much money criminals are making.

“Bitcoin is based on Blockchain, and Blockchain is a public ledger of transactions. So all Bitcoin transactions are public,”  “Now, you don’t know who is who. But we can see money moving around, and we can see the amounts.”

Every victim of Ransomware — malware that encrypts files and demands a payment for their release — is given a unique wallet to transfer money into. Once paid, some ransomware gangs move the bitcoins to a central wallet.

“We’ve been monitoring some of those wallets,” Mikko says. “And we see Bitcoins worth millions and millions. We see a lot of money.”

Watching crooks rake in so much money, tax-free, got him thinking: “I began to wonder if there are in fact cybercrime unicorns.”

A cybercrime unicorn?

(View this as a PDF)

A tech unicorn is a privately held tech company valued at more than a billion dollars. Think Uber, AirBNB or Spotify — only without the investors, the overhead and oversight. (Though the scam is so profitable that some gangs actually have customer service operations that could rival a small startup.)

“Can we use this comparison model to cybercrime gangs?” Mikko asks. “We probably can’t.”

It’s simply too hard to cash out.

Investors in Uber have people literally begging to buy their stakes in the company. Ransomware gangs, however, have to continually imagine ways to turn their Bitcoin into currency.

“They buy prepaid cards and then they sell these cards on Ebay and Craigslist.” “A lot of those gangs also use online casinos to launder the money.”

But even that’s not so easy, even if the goal is to sit down at a online table and attempt to lose all your money to another member of your gang.

“If you lose large amounts of money you will get banned. So the gangs started using bots that played realistically and still lose – but not as obviously.”

Law enforcement is well aware of extremely alluring economics of this threat. In 2015, the FBI’s Internet Crime Complaint Center received “2,453 complaints identified as Ransomware with losses of over $1.6 million.”

In 2016, hardly has a month gone by without a high-profile case like Hollywood Presbyterian Medical Center paying 40 Bitcoin, about $17,000 USD at the time, to recover its files.  And these are just the cases we’re hearing about.

The scam is so effective that it seemed that the FBI was recommending that victims actually pay the ransom. But it turned out their answer was actually more nuanced.

“The official answer is the FBI does not advise on whether or not people should pay,” “But if victims haven’t taken precautions… then paying is the only remaining alternative to recover files.”

What sort of precautions? The answer is obvious.

“Backups. If you get hit you restore yesterday’s backup and carry on working. It could be more cumbersome if it’s not just one workstation, if your whole network gets hit. But of course you should always have good, up to date, offline backups. And ‘offline’ is the key!”

What’s also obvious is that too few people are prepared when Ransomware hits.

Barring any disruptions to the Bitcoin market, this threat will likely persist, with even more targeted efforts designed to elicit even greater sums.

If you end up in an unfortunate situation when your files are held hostage, remember that you’re dealing with someone who thinks of cybercrime as a business.

So you can always try to negotiate !!!  What else do you have to lose?


HIPAA/HITECH Compliance – What Is the HITECH Act?


Not sure what the HITECH Act is all about? If you’re new to HIPAA compliance and related concerns, here’s a quick overview.

Summary of HITECH Act

HITECH stands for the Health Information Technology for Economic and Clinical Health. The HITECH Act was created in 2009 to encourage the adoption and “meaningful use” of electronic health records (EHR) and supporting technology in the U.S. This act was part of the American Recovery and Reinvestment Act (ARRA) economic stimulus bill. The HITECH Act initially offered financial incentives to providers who demonstrated “meaningful use” of EHRs. Later stages of the implementation of the act included penalties for providers who did not meet these requirements.

The HITECH Act also modified HIPAA. One of the ways it did so was by requiring covered entities to notify individuals whose protected health information (PHI) has been compromised. Additionally, it increased the fines that could be applied for noncompliance (up to $1,500,000); it authorized state Attorney Generals to bring actions to enforce violations of HIPAA; and it expanded portions of HIPAA to apply to business associates of covered entities and required the federal Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) to audit both covered entities and their business associates.

Present and Future of HITECH Act

Many features affected by the HITECH Act are currently under debate, including changes to the definition of “meaningful use” of EHRs, cybersecurity issues, and interoperability issues.

As of April of this year, proposed new federal regulations may bring an end to the electronic health records “meaningful use” incentive program portion of the HITECH Act. This portion would be replaced with a simplified program. Concerns raised about these proposed changes state that they fail to address threats to cyber security from hackers and ransomware, a topic of real concern as healthcare providers have been under increased attack this year.

The proposed changes would also affect payment mechanisms for physicians, attempt to fight both information blocking, and would replace the current “meaningful use” program with the “advancing care information” category. As the HHS explains, this category would focus on interoperability and information exchange, and in contrast to the existing program, would not require and all-or-nothing approach to measuring the quality of EHR use. (For more on the proposed changes, see Healthcare Info Security’s in-depth article on the impact on security of Medicare’s new physician payment plan.)

Check out some of the technology that is coming your way for HEALTH:

The medical community really needs to pay attention to the new HIPAA/HITECH compliance rules.  This new rule is really going to affect the smaller healthcare groups that do use compliance today.