Well that didn’t take long. In a recent article I made the case that newer variations of ransomware could result in a reportable HIPAA breach. I argued that if ransomware not only encrypted the victim’s files but also copied the files off of a computer or allowed access to the files, then the result could be a reportable breach.
A relatively new variation of ransomware called CryptXXX has been identified. Like older variations, the malware encrypts a victims files and demands a ransom to release the files. The ransom averages about $500.
But this variation not only encrypts the files, it also copies data off of the victim’s computer. According to an article over at Enigma Software, an anti-malware vendor, CryptXXX ransomware collects or copies information:
The CryptXXX Ransomware can collect files, passwords, and other data, focusing on login credentials from the victim’s instant messenger applications, email clients, FTP programs, and Internet browsers particularly. The CryptXXX Ransomware also may collect BitCoin wallet credentials according to reports from PC security researchers.
As I argued in the previous article:
But as I mentioned, more sophisticated ransomware is starting to show up. And as ransomware evolves and starts copying data off of servers or desktops and/or starts loading other malware that may capture keystrokes or allow access to a system by a third party, breach determination is not so cut and dry.
To determine if a ransomware attack would result in a reportable breach, we can use the same methodology that we used to determine if a stolen or lost laptop would result in a reportable breach. Can forensics help determine if the ransomware allowed a third party access to the organization’s network? Did the third party view or access PHI? Did the ransomware copy PHI off of the organization’s network? Which PHI was copied?
Most Sophisticated Variants Coming
While CryptXXX may be one of the first ransomware variants to copy data off of a victim’s computer it probably will not be the last. Stealing passwords and BitCoin wallet credentials make an even more powerful tool than just encrypting a victim’s data. Criminals will soon realize that with relatively simple searches they can find and copy social security numbers, credit cards, bank account information, driver’s licenses, etc. These modern day cybercriminals are showing that they are quick to evolve and while you are holding the victim’s data hostage, you might as well walk around the house or office and steal other valuable information.
Impact on Healthcare
This latest development is not good news for healthcare organizations. Ransomware itself is a dangerous threat but ransomware that steals information is even more of a threat because it could lead to a HIPAA reportable breach. Healthcare organizations face reputation damage by having to report a ransomware breach to patients and exposes the organization to an investigation by the Office of Civil Rights (OCR).