When we think about a ransomware attack, we often think of the multi-million pound demands from ruthless cybercriminals, or the multinational corporate giants kicked offline for days at a time while being held to ransom. However, we’re beginning to see a more malicious, devastating consequence of ransomware attacks – the human cost.
The unique combination of responsibility for essential services and budget-constrained cybersecurity teams, makes public sector organisations the perfect target for ransomware gangs. Cyber attacks on these organisations have a very real and sometimes dire impact on the people relying on them. Looking at five recent attacks on public services, we understand the damage ransomware operators can do in a bid to get victims to pay up.
1. Patient care in medical facilities
In September of last year, a ransomware attack on The Duesseldorf University Clinic in Germany resulted in the death of a patient receiving emergency life-saving treatment - the most extreme possible consequence of ransomware attacks on healthcare organisations. It is the first instance of a ransomware attack being treated by investigators as a negligent homicide. Sadly, it’s not the only case.
Around the same time, healthcare provider Universal Health Services - which has facilities across the US and Britain - was hit with a Ryuk attack that took down 250 US hospitals and clinics. While no patients died in this instance, healthcare professionals were without access to lab results, imaging scans, prescriptions, and other critical pieces of information needed to provide safe patient care. What’s more, staff were left scrambling to figure out which patients had been infected by COVID-19 - putting both employees and patients at greater risk.
2. Social services
Alongside hospitals, local councils struggling with the challenges of the pandemic also suffered from ransomware in 2020. For example, a cyber attack on Redcar and Cleveland’s Council’s website cost it £10.4m. This hefty cost to the council, came alongside disruption to essential services such as online appointment bookings, council housing complaints and social care systems - at a crucial time in the pandemic.
Monetary cost aside, the cost to people’s wellbeing was huge. The Redcar attack took out its social care advice services, vital services used by the most vulnerable in society. This left people without the ability to claim benefits, disability allowances and gain advice for those working with disabled and frail people.
3. Collapse of housing
One of 2020’s widely reported attacks on the public sector was that on Hackney Borough Council in October, which caused wide-spread disruption to housing, social services and payments processing. Months later, some systems are still inaccessible - with these departments having to conduct work manually while they are rebuilt.
The result? Property purchases for a number of residents were delayed or collapsed as the council cannot process land search requests - which inform buyers about planning decisions, building regulation matters and conservation. These individuals were still left with expensive estate agent fees.
4. Emergency services
The increasing number of attacks on emergency services has shown that there is a chink in their armour, which cybercriminals have no qualms about exploiting - regardless of whether human lives could be lost or not.
In 2019, the 911 dispatch service and law enforcement in Jefferson, Georgia experienced an outage which turned screens blank and made remote control of the jail cell doors and electronic controls impossible. For officers on the road this meant losing the ability to monitor emergencies or run licence plates, hindering the service and putting law enforcement at greater risk.
5. Disrupted transportation
Although most travel plans are curbed while the pandemic continues, transportation is a tempting target for greedy ransomware gangs. At the end of last year, Vancouver’s public transport provider was targeted by the Egregor ransomware gang, which had both encrypted and stolen data - threatening to make private data available to the public should they not pay up. Along with the very real threat of sensitive data being released, the attack itself disrupted the trip planning tool and meant customers couldn’t use credit or debit cards to purchase tickets, preventing millions of users from travelling.
2020 saw huge challenges, and sometimes devastation, for the public sector - both regarding the pandemic and ransomware. In some cases, it was the perfect time to hit for malicious gangs. With increased reliance on healthcare, local government and emergency services, keeping cyberattacks at bay has never been more important. The examples above show that robust cybersecurity practices are needed not just to save money, but to save lives.
Jonathan Lee is director of public sector relations at Sophos
