Hackers whose favorite weapon is the RYUK virus have shifted their focus to small and medium sized healthcare systems, according to a cybersecurity expert.

MonsterCloud CEO Zohar Pinhasi said his firm has seen an increase in calls from healthcare companies of up to 500% over the last few months.

“They are now exclusively targeting small and medium-sized businesses with ransoms of $100,000 to $300,000,” he said.

Pinhasi, is the founder of MonsterCloud, a company that specializes in removing ransomware, restoring encrypted files, and preventing organizations from becoming ransomware victims a second time. He said many small businesses can’t afford to pay the ransom or to bring in professional assistance to recover.

“That is why I say ransomware is a crisis in this country. Attackers are winning, no question about it,” he said.

Part of the problem is that healthcare organizations don’t want to disclose an attack.

“When it comes to ransomware, everyone is embarrassed, and no one wants to talk,” he said.

Pinhasi said that estimates of the problem from the FBI are off because companies often don’t want to report an attack.

“When a victim gets hit by ransomware, they’ll try to find a company that will be able to help them, and the second step is to call the authorities,” he said.

Pinhasi said that criminals gain access to a network and gather information for three to six months, and once they’ve gathered all the information they need, they launch the ransomware.

“What we hear now, is that this is only the tip of the iceberg,” he said. “They are sitting on so many networks right now.”

To pay or not to pay

While large- and medium-sized healthcare organizations can afford to pay the ransom — and many do — smaller companies can’t.

“We know organizations that couldn’t afford the ransom demand, and they have actually closed down their offices,” Pinhasi said. “Another healthcare company that came to us had paid a ransom five times.”

The official line from authorities is: Don’t pay ransomware demands because that encourages criminals to use the tactics and increases the chances of getting hit again.

But, for businesses facing the reality of a ransomware attack, there’s no one size fits all rule, according to Mary Hildebrand, chair of the Privacy & Cybersecurity practice at Lowenstein Sandler.

“For every organization that adamantly refuses to cooperate, there is another one that weighs the relative costs of non-compliance in terms of interrupted healthcare, costs, expenses and reputational risk, against the amount demanded, and decides to wire the funds,” she said.

Chris Duvall, senior director at The Chertoff Group, said he tells clients to carefully consider the benefits and tradeoffs of the specific situation when deciding whether to pay up.

“There is also the chance that even if the decryption keys are provided, the data is irretrievably corrupted during the process, thereby making it useless even after release,” Duvall said.

If a healthcare organization has no backup data to use to recover from a ransomware attack, there may be no choice but to pay and hope.

“If your data redundancy practices don’t permit recovery from other avenues, it may be the only option,” Allen Buxton of SecureForensics said.

Getty Images/iStockphoto