NotPetya, not again? No – but the results are in.
If you recall, the NotPetya malicious software (Malware) attack was launched back in March of 2017. This particular Malware exploit filched the Petya ransomware code but embedded “worm” functionality into the Malware. Some, including this author, dubbed it a “Ransomworm”.
A quick primer on Ransomware and Worms.
- Ransomware is a relatively simple exploit, primarily used by the “cyber-criminal” community. It takes advantage of the “insider threat” and the potential gullibility of a user to launch an email attachment or download from a suspect website. Once it is executed, the malicious code encrypts the computers or systems with a very advanced cryptographic technique making access impossible.
The Malware posts a screen indicating that a payment must be made within a certain amount of time to receive the cryptographic key to decrypt the encrypted computers or systems. This payment is made through an untraceable payment form called a cryptocurrency, the most popular being “BitCoin.” Instructions on the “splash screen” inform the payment methodology.
Truth be told, it is a coin toss (a bit of a pun, right?) whether the key is actually delivered. I’ve opined on how to be prepared for a Ransomware attack so will not spend time reviewing with this piece.
- On to computer Worms.
A worm is an extremely dangerous form of Malware. Where Ransomware encrypts a system and inhibits continued access, thus impacting the “availability” to use the system (i.e, EHR, PACS, Physiological Monitoring, etc.), it doesn’t alter the information on the system. A worm, on the otherhand, spreads through an organizations network and beyond without human intervention.
I’ve seen Worms in action. They will start deleting files on system servers or renaming them, move to another server, rinse and repeat. The NotPetya Worm functionality destroyed a key file that is necessary to access files on a server. Ransomware encrypts this same file but does not damage to the information. The impact of this particular Worm functionality is that an entire corporate data center could be infected and all computer hard drives impacted, either destroyed and having to be recovered.
Ok – we know all that so what’s your point? It has taken almost a year but most government intelligence agencies have forensically concluded the Ukraine was the target of a nation-state attack by Russian using the NotPetya exploit. This makes the NotPetya exploit a “cyber-weapon” used to bring down large numbers of critical infrastructure systems in the Ukraine. However, the “weaponization” of Malware doesn’t stop with the intended target. Unlike kinetic weapons, a cyber-weapon will multiply outside the original target zone. This wasn’t an unintended consequence. The use of the Worm functionality ensured the outward spread of the attack and any contact with an infected system ensured continued dispersion of the malicious package.
The upshot of the “weaponization” of malicious software is the harmful effects it has on our healthcare systems and the very real potential for patient harm. NotPetya is intended to be destructive without regard for who may be harmed in the process.
An accounting company in the Ukraine was the initial victim of the cyber-attack but any customer “connected” to them through email or electronic connectivity quickly became infected. It spread so rapidly that hundreds of healthcare institutions, particularly in the UK, were impacted or shut down by the Malware. The inability to leverage electronic patient care systems due to destruction or unavailability caused by a “cyber-weapon” has a direct impact on patient care and could lead to severe clinical errors and adverse patient outcomes.
It should be crystal-clear to healthcare organizations across the globe that we live in a “Brave New World.” A healthcare system could be the unintended victim of a nation-state cyber-attack at any time. This requires holistic cybersecurity and information risk management methodologies which should be part of the C-Suite and Board of Directors jurisdiction.
This is no longer just an “IT problem.” It is a patient care problem.