CGAI's picture
Contemplating the Ransomware from Hell
Posted on Sep 05, 2018


Ransomware, that sickening feeling you get when your computer says your files are locked up by a bad guy, has been on the decline in the last year. A study by technology industry group ISACA shows a 17-point drop in companies reporting ransomware attacks, from 62% in 2017 to 45% this year.

Of course, cybercriminals are not going away. They’re just changing their tactics. Experts believe some are switching to “cryptojacking” – taking over your computer, or even your smartphone, to mine cryptocurrencies like Bitcoin in the background. You might already be infected, especially if your computer seems slow or your phone is running hot.

Having just returned from the huge DEF CON and Black Hat hacker conferences in Las Vegas, I am fully convinced that ransomware will soon come thundering back, in a new and potentially deadly way. Instead of encrypting your files, perpetrators will take over your connected smart devices and demand money to give them back. Perhaps your thermostat gets stuck on a ridiculously high or low setting. Maybe your insulin pump or surgically implanted pacemaker starts receiving rogue commands. Or, worst of all, you are a hospital administrator who gets an email like this:

“We own you.  One of your employees clicked on a bad link and we are inside your system. But we won’t encrypt your files – that’s so 2017! We know that you have five GE Healthcare X-ray units, three Siemens SPECTs, and 864 single channel and 232 dual channel BD Alaris infusion pumps. They all have exploitable vulnerabilities. You don’t know about them. The manufacturers probably don’t either. We bought them on the Dark Web. Unless you pay USD 10 million by tomorrow noon we will randomly kill a patient every other day.”

I took this scenario to a number of hospital administrators and most said some variant of “we wouldn’t pay” or “we couldn’t pay”. Then I asked how they will respond when the newspaper headlines scream “Hospital Kills Grandma by Refusing to Pay Ransom”.

I call this “The Ransomware from Hell” because it is not only plausible, but, many experts say, likely. To make it worse, even if a manufacturer wrote flawless computer code for an MRI machine, with no back doors or vulnerabilities, they would still have to rely on software from other companies, like compilers and operating systems. Those might have exploitable security holes. Even if everything was perfect, how many hospitals can afford the $1-3 million price tag to replace each of their MRI machines tomorrow?

At the conferences, I met white hat hackers who had successfully penetrated insulin pumps, pacemakers, vital signs monitors, blood flow sensors, even surgical robots. A paper by Israeli researchers recently explained five different ways that CT scanners could be hacked to harm patients, from tampering with the radiation levels to simply hitting them physically with the device.

This does not mean you should refuse treatment the next time your doctor wants to put you into a scanner or implant a pacemaker below your collarbone. It does mean that the medical device industry, healthcare providers, and government agencies need to wake up to the very real risks that ransomware poses to patient safety.

Technical measures, such as breaking the hospital network into segments and keeping devices fully patched and updated, can reduce the danger. We might even want to consider some sort of “Good Samaritan Law” to shield hospitals from lawsuits if they have done their absolute best to protect their patients.

Still, it is only a matter of time until The Ransomware from Hell scenario plays out in a Canadian hospital. Just hope that it’s not you, or a loved one, inside the scanner when that nasty email arrives.

Dr. Thomas P. Keenan, I.S.P. is an award-winning professor at the University of Calgary, Fellow of the Canadian Global Affairs Institute, and Board Chair of the Information and Communications Technology Council of Canada.  His best-selling book Technocreep: The Surrender of Privacy and the Capitalization of Intimacy predicted many of the security issues we are seeing today.