Security researchers have uncovered that a group of cybercriminals or an individual involved in a widespread ransomware delivery operation has earned over $120m (189,813 Bitcoins) in just 6 months. The group still holds $94m in Bitcoin wallets, with the rest likely spent on amassing botnets, servers, other cyber tools and personal costs.
McAfee Labs security researchers noted in their quarterly report that ransomware attacks have grown over 128% "year over year". Additionally, researchers observed that ransomware attacks targeting hospitals have also spiked recently. Such is the propensity and profitability of ransomware that developers have even taken to showing off the functions and abilities of codes on underground forums.
"In one underground forum, a developer's offering of ransomware code illustrates how much ransom has been generated by purchasers. The developer provides screenshots showing ransom transaction totals and proof that the ransomware code is not being detected," McAfee researchers said.
Researchers also uncovered another ransomware gang that earned over $100,000 specifically targeting hospitals and other institutions in the health care sector. However, McAfee researchers noted that the code and execution of cybercriminals targeting hospitals was not of the same sophistication as that of other organised cybercrime groups.
"Based on our code analysis, we do not believe that the Q1 hospital attacks were executed by the malicious actors we normally face in ransomware attacks or breaches. The code and attack was effective but not very sophisticated," the researchers said.
Additionally, chatter from underground forums analysed by the researchers revealed a certain "honour among thieves" code followed by cyber-crooks, particularly those based out of Russia, who criticise those going after the health care sector. Following a ransomware attack in February, which saw a hospital in California pay $17,000 to gain back control of its systems, underground cybercrime forums were lit up with comments censuring the attacks.
"Shortly after the California hospital attack was reported, several malicious actors in underground forums reacted to these attacks. For example, one Russian speaker from a notorious hacker forum expressed his frustration, offering special wishes to the hackers that committed the attacks. In the Russian underground, there is an ethical "code of conduct" that places hospitals off limits, even if they are in countries normally targeted in their cybercrime campaigns and operations," the researchers noted.
Why hospitals are prime targets for ransomware operators
The disturbing trend of ransomware authors targeting the health care sector has been exacerbated majorly due to the immense profitability factor. Moreover, researchers pointed out that generally, hospitals' medical devices and internal systems come with "weak security", which likely makes it easier for hackers to gain access to their systems.
"A combination of legacy systems with weak security, a lack of employee security awareness, a fragmented workforce, and the pressing need for immediate access to information has led the criminal underground to prey on hospitals."
Ransomware growth unprecedented
McAfee researchers noted that both ransomware and malware samples have only grown in the past quarter. "The growth of new ransomware samples continues to accelerate," researchers said, adding that number of new ransomware samples was "the highest ever recorded in Q2", while the number of new malware samples detected in Q2 was "the second highest ever tallied".