Written by staff writer.
A cybersecurity specialist says the case of a ransomware group demanding the Crown Princess Mary Cancer Centre in western Sydney pay AUD100,000 within a seven-day deadline highlights the challenges of implementing any ransom payment ban.
On May 5, 2023, the Medusa ransomware gang issued the deadline, saying that they would begin releasing patient data unless payment arrived on time. The incident is the latest in a growing series of cyberattacks targeting Australian health and allied health entities.
According to Oakley Cox, Analyst Technical Director at Darktrace, this cyberattack demonstrates some of the issues surrounding the proposed ban on ransom payments. While no specific laws prevent a target from paying a ransom, the Australian government and its agencies advise entities not to pay. The government is also considering legislating to make doing so illegal. But not everybody thinks an outright ban is viable or sensible.
“Even if a ban were feasible and enforceable, attackers will still be motivated to use ransomware, seeking out situations in which the sensitivity of the data involved brings moral and ethical questions about whether paying the ransom is, in fact, the best course of action,” he said.
Instead, Cox argues that government agencies should step up their cyber offensiveness and fight back against ransomware gangs like Medusa. He says targeting the source of the problem, rather than a ban on payments, is likely to prove more effective at stemming ransomware attacks.
Medusa has now been up and running for about two years. It is entirely separate from the better-known MedusaLocker ransomware gang. Medusa has steadily become more active this year and hit the headlines in March when they released a trove of sensitive student data stolen from Minneapolis Public Schools after it refused to pay a USD1 million ransom. Cybersecurity firm CyberCX told the ABC last week that the Medusa gang were highly active and a credible threat.
Cox says gangs like Medusa are creative and good at finding ways around potential problems like a ban on ransom payments. “Every time the cyber security community thinks they have found a solution, the hackers behind the attacks find a new technique. Exploiting personal data appears to be the latest move by ransomware gangs in their evolution,” he said.
CyberCX data indicates that UaWrongTeam, AlphV, BlackByte, and Phobos are among the cybergangs who have attacked Australian health and allied health entities in the past year. The attacks range from targeting a single medical practice to the massive Medibank Private incident in October 2022.
Cox says last week’s attack on the cancer centre may have been a response to the Medibank Private breach, widely attributed to rival ransomware gang REvil. He says attacks that gain widespread media coverage boost the attacker’s credibility in cybercrime circles. A sensitive target like a cancer centre generates publicity, reflecting well on the ransomware gang, even if they are not paid.
NSW Health says they are investigating the cyberattack and don’t believe any patient databases were compromised. Meanwhile, the Australian government says ransomware gangs cannot be trusted and that paying ransoms doesn’t guarantee the stolen data will not be misused. Further, they say paying ransoms also fuels the growing problem.