The Planned Parenthood branch in Los Angeles revealed that it was the victim of a ransomware attack that resulted in attackers obtaining sensitive information on about 400,000 patients. All ransomware attacks and data breaches are bad, but this one is particularly egregious because the sensitive nature of the compromised information could destroy families or possibly put lives in danger.
Some ransomware groups like to market themselves as sort of modern-day “Robinhoods”—and claim that they avoid targeting schools or hospitals and only want to hit the deep pockets of governments and corporations. This attack demonstrates that ransomware is truly insidious and there is no honor among thieves.
It is unclear from their statement whether Planned Parenthood has paid a ransom or if they are currently considering it. There were few details provided. In the statement released, the Planned Parenthood branch said, “Patients are encouraged to review statements from their healthcare providers or health insurers and contact them immediately if they see charges for services they did not receive.”
That is a concern, and it is good advice—but being charged for additional services is not the primary threat. Planned Parenthood is a non-profit organization that offers free or low-cost reproductive health care and sex education information, andthey offer a variety of vital services including birth control and cancer screenings.
The timing of the attack is interesting—bordering on suspicious—because this announcement comes as the US Supreme Court heard opening arguments and is presiding over a hearing that could determine the fate of the landmark 1973 Roe v. Wade decision that made abortion legal throughout the United States.
This attack really illustrates the dark heart of the ransomware beast. Medical information in general is one of the more sensitive types of personally identifiable information—but Planned Parenthood is on another level of sensitivity. Planned Parenthood patients may have received birth control their parents or significant others are not aware of, or a cancer diagnosis they have not disclosed, or they may have made the difficult decision to have an abortion. The organization deals specifically with very personal matters that a woman should be able to decide for herself and keep private if she chooses.
Exposing the information on these 400,000 patients could tear families apart and disrupt marriages. It is possible that having this information disclosed could even be dangerous for many of the women and possibly life threatening.
I do not envy the men and women at Planned Parenthood who have to make a very, very tough decision—a decision that nobody should ever have to make. We don’t know if Planned Parenthood paid the ransom, or if they are actively negotiating or considering it. What we do know is that in the calculus of whether it makes sense to pay the ransom or not, ransomware has reached a new low.
“Paying ransom demands doesn’t guarantee there won't be further extortion attempts. But refusing to pay the ransom is more than just denying the organization data. The attackers could publish information of more than 400,000 patients and put their very lives in danger,” proclaimed Sam Curry, Chief Security Officer at Cybereason.
“The fact that the compromised data included names, addresses, insurance information, and date of birth, as well as clinical information including medical procedures and prescriptions for more than 400,000 patients makes it a potential disaster. It is entirely possible attackers could retain the data and continue to extort Planned Parenthood or use it to spear-phish or blackmail individual patients.”
It is a common tactic of Chinese intelligence and other APTs to leverage personally identifiable information (PII) and protected health information (PHI) to blackmail individuals into becoming intelligence assets. It was the main motivation behind attacks like the OMB and Experian data breaches. The sort of information that might be exposed from Planned Parenthood certainly provides a strong incentive.
There are other factors to weigh as well. Our research found that almost half of organizations that paid a ransom were unable to fully recover their data. In this case, that may not be as important as simply ensuring nobody else gets the data either. However, we also determined that 80% of organizations that pay a ransom are hit by ransomware again—often from the same attackers.
This is a very poignant example of why it is crucial to detect and stop ransomware early in the attack cycle—long before it gets to the point of data exfiltration or encryption. You need visibility of the entire malicious operation and an ability to recognize Indicators of Behavior (IOBs) so you can shut down attacks quickly. Executing the ransomware payload is the last step in that chain, but once attackers get there, organizations no longer have any good options to choose from.
Hopefully the US government and law enforcement will be able to track down the cybercriminals behind this ransomware attack and bring them to justice.
Unfortunately, many ransomware gangs operate with relative impunity from within the borders of Russia or other countries that do not engage or cooperate with international efforts to fight ransomware. These ransomware attacks are state-condoned, or at least state-ignored—with nation-state adversaries giving their tacit approval by refusing to address the problem.
Ken Westin, Director of Security Strategy at Cybereason, explained, “The amount of money ransomware gangs are generating only increases the level of greed and—with it—their brazenness. As this data can be used for criminal acts beyond a ransomware attack, there may be more repercussions and possibly more help bringing the attackers to justice, depending on where the compromised data is sold or used with malicious intent.”
Curry summed the situation up. “This is about as clear as it gets. Ransomware is a business model, but—more than that—it is a horrific beast that needs to be reined in and criminals brought to justice to face a jury of peers.”