July 22, 2025 • 30 mins
"Hospitals don’t just store data. They safeguard stories, care plans, and lives. When ransomware hits, it’s not just a system crash, it’s a trust collapse."
Notable Moments
- 00:01:10 – What ransomware is and how it's evolved
- 00:04:15 – How the Colonial Pipeline and Vegas attacks sparked Jeffrey’s interest
- 00:07:10 – Why healthcare is a prime target
- 00:10:00 – How Jeffrey built a ransomware database of 800+ healthcare entities
- 00:16:00 – Rise of ransomware-as-a-service (RaaS) and competition between threat actors
- 00:20:20 – Most targeted entities: hospitals, clinics, specialized care
- 00:24:20 – Real-life consequences: delays in patient care, increased mortality risk
- 00:28:00 – The looming threat of AI-trained malicious models
In this episode, Jody, Meghan, and Matt are joined by security researcher Jeffrey Bell to discuss the ways ransomware is increasingly crippling hospitals. They explore how healthcare has become one of the most targeted industries, why ransomware is shifting from encryption to data exfiltration, and how threat actors now operate like businesses complete with affiliate models, revenue sharing, and even training. Jeffrey shares how he built a comprehensive subcategorized database of healthcare-related ransomware attacks and offers insight into why specialized care and hospitals are becoming prime targets. The group discusses real-world consequences, from system shutdowns to patient deaths, and emphasizes the need for proactive community defense and cross-sector collaboration.
Resources
https://redoxengine.com/
Have feedback or a topic suggestion? Submit it using this linked form.
Matt Mock mmock@redoxengine.com
Meghan McLeod mmcleod@redoxengine.com
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Foreign.
Welcome to Shut the Back Door, brought to you by Redox. Shut the
Back Door is a healthcare security podcast dedicated to keeping
health data safe one episode at a time. I'm your
host, Jody Mayberry, and this episode we have
two familiar voices and a guest, of course. We've got
(00:22):
Megan McLeod. Hello, Megan. Hi, Jody. Nice to be here again.
It's great that you're back. Well, speaking of back, we've got Matt
Mock. Matt, it's great to have you back with us. Yeah, thanks, Jody.
Great to be here. Well, you know, Matt and Megan are with Redox, and
our special guest is Jeffrey Bell, a security
researcher for catching fish. Jeffrey, it's
(00:45):
great to have you with us. Thanks so much, Jody. Excited to be here.
Well, there is a reason Matt and Megan
wanted you to join us, and that's to talk about
ransomware. And I admit this is something I don't know
a whole lot about yet, so I'm. I'm excited about this conversation. Can
you explain what is ransomware and how
(01:07):
it can be so damaging to companies and clients?
Yeah, definitely. So ransomware kind of stems from the word malware,
right? So malware could be anything malicious, Right? That mal.
And malware stands for malicious. Right. So ransomware, as
we kind of talked about, stands for something being held for ransom. Just like
how it used to work in the old days where something was either
(01:30):
held for ransom, whether it be a bounty, a person, et
cetera. Now your files are being. Or your data is being
held for ransom. So historically. And
ransomware first started off as being encryption, right? So your
files will be encrypted on your computer. That's really very
bad. Right, of course. But now we're seeing ransomware take different forms
(01:51):
instead of actually that encryption on your computer, we just see the
exfiltration. So not always in the case, but a lot of
ransomware groups, these threat actors that perpetuate this ransomware and
steal data, they don't really care about encryption as much as they used to. They
find it a lot easier just to steal the actual information on your computer.
Your files, your videos, anything you're really working on.
(02:13):
And they'll upload that to their own kind of databases and then hold it for
ransom, of course. So I just wanted to have that discrepancy and notate
that because you'll see, as we're talking, a lot of times we might say something's
exfiltrated, something was encrypted. You know what I mean? And while
they both refer to the act of something being ransomed,
there's some variance in those two definitions. Well, how
(02:35):
did you get interested in this? Because this. This
is not a. A common thing. I guess someone grows up and says, I can't.
I can't wait to help people out with ransomware. Yeah,
it's definitely. It's. It's been some interesting conversations with my friends
and family. My girlfriend still, I think, is confused about what I do. But, yeah,
I. I've always been interested in. In kind of how things get
(02:57):
broken, how people break into things. I've always
kind of tried to find exemptions for. For just how the world
works, how. How can I get around it, how can I break it, that kind
of stuff. And I think ransomware really selfishly fits a lot of that. For me,
it's just such a fascinating thing that someone is losing kind
of ownership of their own files. What's supposed to be kind of only for
(03:19):
one person is now stolen and either don't have access to
it, or someone else could have access to it and then sell that thing.
Yeah, it's just. Has always really interested me ever since I really started
cybersecurity. And I think ransomware kind of showcases
that there's this really big, really stark divide that exists right
now in terms of the data that we all have. Our personal files,
(03:41):
our personal family photos, all this kind of stuff. It's not
really ours. It might be living on our computer, but in
terms of ownership, it's really just like the expression goes, in the eye of the
beholder, in the eye of the holder. In this case, whoever holds that data,
it might as well be theirs. Yeah, that's. That's super interesting. Is there
a, like, specific ransomware attack or story
(04:04):
that kind of, you know, maybe got your attention early on
or that, you know, you point to as
being somewhat influential in your research? Yeah, Megan, that's a
great question. Two things that come to mind are the Las Vegas
ransomware attacks. And also, I live on the east coast, and
when I was actually still in college, the Colonial Pipeline ransom
(04:26):
happened. So one starting with the Colonial
Pipeline, I saw that directly impact my life. I saw gas
stations around me. I saw lines like I've never seen
before. Like it was the gas crisis in, like, the 70s. So that
was pretty stark. Definitely made me think, like, how could the system
be so brittle that an encryption on the device could have this
(04:48):
effects that could stretch all the way up the east coast and then the Las
Vegas casinos, not really for the attack itself. The images,
of course, were so interesting to see, like casino displays
just Completely like blue screened. That was really fascinating to
see, but also I would think how the attack actually perpetuated. Because
the Las Vegas attacks weren't some example of some zero day
(05:10):
vulnerability on a system, some mastermind criminal. It really
was a case of social engineering. These ransomware actors
called up the help desk for one of the Las Vegas casinos,
pretended to be an employee with some kind of level of privilege, convinced the
help desk to reset mfa, reset a password, something like that. And then they
were able to really spread throughout the network and then obviously
(05:32):
deploy ransomware. So the more I think about it, it's not really the
ransomware that really interests me. It's more about what leads up to
it. You know what I mean? A ransomware is just a piece of malware. It's
just a bad software. Right. It went rogue. But everything that leads up to it,
how initial access of these companies, how initial access
is formed at some of these companies, how that spreads all the way via
(05:54):
lateral movement to different servers, different hosts, and then eventually that
impact, that encryption occurs. I think that's really everything
that leads up to it is what's really fascinating to me. And it's kind of
like a race against time. Right. Because the whole time as defenders, we're thinking, okay,
how can I make sure this doesn't happen? What can I deploy to my
arsenal to make sure that everything that leads up to ransomware deployment
(06:15):
prevents it? Right. So it's kind of like a mind game a little bit.
Yeah. And one thing you said resonated, like the initial access
stuff, I always find very intriguing to see how that
happened because I think those outside of security,
they hear about these attacks and I think they're thinking like this
huge operation in most cases, like the old hackers
(06:37):
movie, you know, people are like doing crazy stuff and a
lot of times it's, yeah, someone picks up the phone and just con somebody in
depressing a couple buttons. And though that's not always the case,
but, you know, it seems more often that that's the easier
kind of cheaper way to get in, is to just manipulate a human and you
get in. It's always very curious to see, like, how
(06:59):
that happened and how, how could you spend millions of dollars on security and
one person just bypass all that stuff? So. Yeah, very
interesting. Yeah, that's a great point. So we, we know
your interest in ransomware and how you got there. How did you
narrow specifically to trends in health care? What brought you there?
Yeah, that's a great question, Jodi. So I work for a health Care company. Right
(07:22):
now I'm part of something called Health isac. Health ISAC
is a group of companies that come together to form an information
sharing organization. So what they're doing is they're sharing kind of their daily
life there as a security posture, what's working well, what's not working
well, and along with different threat data. So whether that be indicators
of compromise, this could be like file hashes, these could be
(07:44):
malicious IP addresses, that kind of stuff. But I think the most important thing is
we share our, our war stories, right? So we share what's going well
in our organizations, what we've been fighting against, kind of we share in
our triumphs and failures, right? And that's nice to do that in a
community, of course. And so part of this, when my
company joined Health Isaac, I kind of was trying to find a place, you know
(08:06):
what I mean? There were all these different channels in Slack and I was trying
to find, okay, where, where do I belong? What am I interested in? And there
was this channel in Slack called Ransomware. And I immediately kind
of joined that group, started kind of talking to people, seeing what
they were doing. What I noticed really quickly was people were
sharing ransomware, like ransomware, that it's become an
(08:28):
entire ecosystem, right? So there's a bunch of threat intelligence vendors
who all day, all. Their entire business model is just to tell you
what these different ransomware operators have posted on something called a
dedicated leak site, also known as a data leak site, pretty much
where ransomware operators, whether on the dark web or clear web,
will share what they, who they've attacked and then any data that they've stolen,
(08:50):
right? And like the name suggests, they'll hold that data for ransom within
seven days, either you pay 10 bitcoin, or all this data
is going to be published for the entire world to see, right? So
that was being shared like, okay, this healthcare company just got hit with
ransomware and it wasn't really being tracked. I found it
was kind of just being like a screenshot we posted in the channel. And I
(09:11):
started thinking, this is something easily I can do. Like I have the bandwidth
in my free time, I can just go in and just say, okay,
this ransomware operator attacked this company. And
that's pretty much it, right? And then I started kind of thinking, how can
I actually make sense of this data? Not really helpful to have a
name, right? A name of a company is one thing, a name of a threat
(09:34):
actor is another thing. But really, we need to understand what are these companies? Are
there any kind of overlaps between them. So I went to the path of least
resistance and I just went to LinkedIn. Right. So I looked up a company,
let's say healthcare company. 1, 2, 3. I would look them up on LinkedIn.
Okay. Their classification on LinkedIn is hospitals and healthcare.
Cool. Easy. Add that to the spreadsheet. And originally
(09:56):
I was sharing my data that I collected across all these different entities,
all these different companies that were listed on different dedicated leak sites that the
ransomware operators maintain. And I was really proud of myself. I was like, this
is incredible, like, this is going to be revolutionary. And then I got
really good feedback immediately, like, this is not helpful. And as someone
who hadn't worked in healthcare that long, I realized that the
(10:19):
category hospitals and healthcare is very broad. Right.
Hospitals we all kind of agree with that means, right? More or less. But
healthcare, what is healthcare is healthcare. Your clinic down the street is
healthcare. The insurance is healthcare. The medical billing
is healthcare. And urgent care, like, you start kind of getting all these
questions and you realize that that definition, while it's not LinkedIn's fault,
(10:40):
is like the widest net you could ever like, cast. Like, healthcare is
a vertical, right? You have manufacturing, healthcare, agriculture, like, it's just
another word. So I quickly realized that this is not going to work long term.
So what I did is actually created my own, like, subcategorization
system. So I have 24 different kind of
subcategories that I classify within healthcare. Everything from like
(11:03):
dialysis centers, dentists, specialized clinics,
or specialized care, which would be like cardiology, orthopedics, and
then even things like, of course, hospitals. Right, Insurance.
And then even things as narrow as like telemedicine, a health care
entity that just does telemedicine. Right. So that's where I kind of
took it. I spent a lot of my free time, I spent an entire weekend
(11:24):
just going through a backlog of like 800 different entities, just
trying to use all the research I had at my disposal, which was a
computer. Right. And just trying to find out what was this company deal. The are
companies that aren't on LinkedIn. Okay, so I need to go find
what this company does. Need to find their website. There are companies that you
can't translate into English, so I had to kind of look at
(11:46):
cues on the different websites, try to do ocr, optical
character recognition to translate images that were like static on the
page. So, yeah, that's kind of where it took me. And yeah,
for almost a year I've been maintaining this database of
really subcategorizing all of these different entities that are listed in the
hope to provide more clarity for different
(12:08):
organizations in Health isac. Well, yeah, and I will say that I
know in a previous episode we talk about networking and all of
that insecurity and so Health ISAC we touched on and
that is how we got connected with Jeffrey. So just kind of a
piece of evidence that that stuff does work and that
we are seeing Jeffrey's research and it
(12:31):
is helpful. So yeah, awesome. Thank you, Meg. That's really
obviously like there's no payment, you know what I mean? There's no,
it's just help to help people. Like, I'm not getting paid for any of this.
It's just, I like it. It's interesting to me and I've gotten a really,
a lot of really good feedback that this is helping people. So that's more than
enough for me to continue. Yeah, a couple of things on that is
(12:52):
one, Jeffrey, your stuff is extremely helpful. You know, that's how he started
taking notice. And I'm not aware of anybody else tracking
healthcare to this level, especially on a day to day. Like you'll see other
reports that come out. You know, big companies will post it every year and you
get that at the end. But to see things change throughout the
year and day to day, it's super helpful. I know for myself,
(13:14):
we reference that, we bring it up. It's a great data point. And
the ISAC thing, not to like keep hammering on that, but I think if
you're listening to this and you're a healthcare company in any manner
and you're not part of that, you're missing out, especially from a cost
benefit. It's such a small cost to get in there and it is just
limitless knowledge and connections in
(13:37):
there. It's such a wealth of knowledge. And I think down the road
we do want to do a podcast around that. So stay tuned for more
on that. But if anybody's interested, you know, reach out to any of us too,
we can help make the connection there. I have to say, when I asked you
that question, Jeffrey, I did not expect that
answer of tracking things and creating a database. That,
(13:59):
that's really cool. And I see why people like Matt and
Megan see you as a valuable resource and someone good to
have in their network. Yeah. Thank you, Jody. Yeah, it's, it's really nice to hear
that, that kind of feedback and that's helping people because like Megan
alluded to, like there's, like Megan and Matt alluded to, there's no,
no one's tracking it at this level, you know what I mean? And it's not
(14:20):
exclusive just to health care. Like, I would love to see different members
of different ISACs take the same model and apply it to business
services, financial services, anything like that. Because
it's great to hear. Okay, well, it's not great for obviously us in
healthcare, but it's interesting to hear. Oh, healthcare is one of the most targeted
verticals across all industries with ransomware. Right.
(14:43):
That's. That's knowledgeable. That. That's like an interesting fact.
Right. But then what do you do with that? Like, as a
small rural clinic? What do I do with that information
compared to a mega insurance carrier, one
of like your benefit management platforms or something like that? It's very hard
to. You're looking at the same industry, but the actual
(15:05):
how it's relevant to you is going to be very stark. It's going to be
very different. Well, what does the rest of this
year look like for you? What does 2025 look like when it
comes to ransomware? And do you see any
disruptors coming? Yeah, Jody, that's
something that I was hoping to see this year, and I've yet to see
(15:26):
it. There was a small downturn for a little while in the
earlier first quarter, first and second quarter of 2025, in
terms of rents, and we're targeting health care, but that shot right back up. I
would be lying if I told you that there was any optimism on my part
that it's going to completely subside. I think you
are seeing law enforcement be a little bit more open to
(15:48):
takedowns and stuff like that. I have no doubt they're doing what they can. Well,
unfortunately, it is a booming industry in terms of
ransomware. And we could get on the tangent of there's something called ransomware as a
service. So it's bad enough that there's ransomware, but they've completely democratized
the process and made it very, very easy for anybody to now get in the
ransomware business. You can actually join, just like you would join
(16:10):
Health ISAC as a kind of member. You can join a ransomware
organization as a member. And now kind of part of that subscription
model is, hey, I'm going to attack companies using
the ransomware. Just remember, it's just a piece of software that this
ransomware operator provided to me. Right. So now
I'm armed. I don't have to do any coding. All I have to worry about
(16:31):
is getting this ransomware on as many computers as possible. And even
Chilen is doing that's A ransomware group is even doing, like, classes to
help some of their operators really understand how to deploy,
how to look for weak points in organizations like that. So, and
these ransom operators aren't doing this out of the kindness of their heart. They're getting
the profits. It's usually a profit split of like 70, 30, 80,
(16:53):
20, even 9010 for newer ransomware variants like
Devman. So you're seeing kind of that there's something in it for
everybody here. For affiliates, they're able to really lower their
technical barrier to get into ransomware. And for the operators, now they
get to sit back and relax and just maintain this piece of software. They don't
have to worry about trying to find initial access for this one random company.
(17:14):
Like, it's already there. They're just kind of sitting back, loaning out the software that
they've made to encrypt computers or exfiltrate data, and now they get
to just get the proceeds of that. So usually 70% of the
affiliate gets the money, and then 30% of whatever ransom's paid goes
back to the operator. Yeah, I think one thing, and
this isn't obviously new, but it's kind of like a crazy thing to think of
(17:37):
back in the day. Like, you want to do ransomware, your group has to do
like everything. They got to come up with everything on their own. And now there's
so many of these as a service, you know, if you want to spam, email,
there's a service you can apply for, you know, proxies
as a service ransomware, you can just piece it all together and just
pay for that stuff. And you got your little criminal organization in
(17:59):
a box type deal. And it's just, it's so. I don't. When you explain
to people that outside of, you know, infosec, it's kind of hard for
them to picture like this is a thing. But, you know, it's nuts how it
has really evolved over the years. Yeah, that's
another one that I just didn't see. I did not realize
that there are clubs and affiliates and
(18:21):
memberships you can sign up for all around
ransomware. I guess the membership model works no matter what
business you're in, 100%. And now what you're seeing
lately is that there's. I don't want to say over saturation, but
there's a lot of ransomware operators that operate this kind of model of
ransomware as a service. So now you're seeing competition between different
(18:42):
ransomware groups competing for that kind of those Best affiliates,
those affiliates that are so knowledgeable they know how to get into a network, they
know how to encrypt and they're probably going to attack a company that is in
a position to get paid. Right. So you're seeing like kind of a war between
different ransomware groups to actually attract that best talent. And they're
offering, I just mentioned earlier, the split used to be 80, 20,
(19:04):
but now you're seeing some ransomware operators give out kind of
best deals to some of their favorite affiliates. Like no, actually we'll do 90,
10 for you, 90% for you, 10% for me, 95, 5.
Like all of this kind of crazy stuff just to attract the best talent. So
it's kind of like a war. There's a lot of ransomware groups that have
emerged, not all of them stay around for that long, but they're all are
(19:26):
back with this promise. They'll say the same thing, that we're going to make sure
you make the most amount of money as possible. And that's really alluring. Yeah.
So like thinking about, I mean that's kind of, you know, a trend that you're
seeing. But then are there other, I don't know, trends in
the healthcare space like within ransomware in
addition to those kinds of things? Yeah, Megan, exactly. So
(19:47):
I'm looking at a chart right now of those DLS operators,
these different kind of ransomware operators who has posted the
most healthcare entities this year? Right. So right now it's neck and neck
between Ink Ransom and Qilin. That's spelled Q I
L I N. So these two ransomware operators have almost
by double attacked the most amount. So Inc Ransom
(20:09):
attacked 47 healthcare entities and Chilen 48.
And the next closest is safe pay at 22, you know what I mean?
So it's very stark. Ransom hub for a long time was was right up
there and then they went dormant, inactive. We're still trying to kind of
understand exactly what happened with them, but you can see there's no
downtime. Like the moment affiliates of one ransomware operator,
(20:31):
that ransomware operator either gets taken down by law enforcement
or just decides to do an exit scam or go dark. These affiliates,
they're trying to make money, right? This is like their livelihood. So they're going to
just go to the next, next best operator. Next best operator and you
even see double dipping. Sometimes you see affiliates,
they'll do a little bit with one ransomware operator and another
(20:52):
with another bit of encryption with another one. So
it's really interesting and let me actually get you some details regarding what
entities have been most targeted. So so far the
top three would be hospitals, clinics and specialized care.
All 40 or over entities listed on these different
ransomware operators data league sites this year. And like I mentioned earlier,
(21:15):
specialized care, that could be anything from your neurologist, that could be
a gynecologist, orthopedic, all of these kind of things. And in our
kind of healthcare system in the United States, those can be everywhere. Right.
So I think a lot of that reason that specialized care is number one is
because there are so many. But, but what's really surprising is hospitals. Hospitals
historically don't really make up a ton of ransomware
(21:37):
posts. Right. They obviously get a ton of attention. But if we're looking
back, like let's say from 2023, let's look at every. All the
posts from 2023 on healthcare wasn't as
prominent as it was compared to something like specialized care. But now you're seeing
hospitals become a lot bigger target. And I think that speaks to a couple of
things. I think a lot of times hospitals are the most newsworthy event.
(21:59):
When a hospital gets taken down, it's going to be on every. On the local
news. Depending on the size of the hospital, it might be on the global news.
And also depending on where the hospital is located, it might be underfunded.
There might be different kind of sites of that hospital. Hospitals a lot of times
are part of health systems. So they'll acquire maybe a clinic, right.
Or maybe they'll acquire another smaller rural hospital or something like
(22:21):
that. So the sprawl of these hospitals can be gigantic.
And then it just takes one entity that might have some kind of trust to
that main hospital network. Do you think with the hospital
targeting, is it that they are targeting the hospitals themselves
or is it because they're connected to all of these other things
and it's moving like laterally through to the hospital or is
(22:42):
the initial target the hospital? Yeah, that's a great question, Megan.
And that's something that we've seen as different chats are
leaked between different ransomware operators. There's always that kind of. That's what everyone.
I would say that's the number one thing people want to know, like, is my
hospital being targeted? And I use the word targeted very
carefully because they don't really care who they target at the end of the day.
(23:03):
We have seen some isolated examples of ransomware
operators like Chilen directly saying that we want to target healthcare.
Right. A lot of times this is because they think healthcare is more likely to
pay. But in terms of hospitals actually being
targeted, I don't think I can say that right now. That's just not, not what
I'm seeing. I haven't seen the evidence to it. But also, like, it's not out
(23:24):
of the realm of possibility that they think that's the most profitable way
to actually monetize the malicious actions that they're doing. And with,
like, hospital ransomware. Have you seen, like, in
any of your research, I don't know, kind of like the fallout from that? Cause
I know like, one of the things that got me interested in ransomware
was looking at, and I can't remember the specific incident, but a hospital
(23:47):
overseas had been targeted or, or not necessarily intentionally
targeted, but then was part of a ransomware situation. And I know
that someone who was supposed to be getting care at that hospital was not then
able to and in transport to another hospital ended up not making
it because of the inability to get quick care. So
I'm, I guess I'm curious if that also is like a trend that
(24:08):
if we're not seeing now, if, if we could start seeing actual
issues with, you know, not just quality of life, but actually
the ability to sustain life in some of these hospitals as well. As
ransomware gets bigger. Yeah, I mean, I would not put
it. I mean, these are people, of course, but they're also criminals. What they're doing
is, is a crime, of course. So, yeah, I wouldn't say it's out of the
(24:31):
realm of possibility that in order to monetize their tactics
that they're going to choose something that would be the most impactful
because they're just looking for, how can we disrupt the most amount of business
to make sure that that company has no choice to pay? Even if it's outlawed.
Right. Even if rental payments are outlawed, like, there's always going to be that back
door and a way to pay. Right. That's just kind of how it works. Like,
(24:53):
look at prohibition, right? Like, it's. If there's a market for something and someone
feels like they're up against a wall, they have no choice. Like, it's very
possible. I think patient care is something that continues to
be, Is going to be impacted as this continues. I mean,
usually the first thing is that all the systems are, as a precaution,
the hospital, the healthcare entity, will kind of shut down everything. And
(25:16):
depending on what that company does, that could have obviously detrimental
impacts. We all know healthcare is intertwined with
information technology. Like, everything's connected to some kind of network.
Everything is being at some kind of monitor screen. So if everything has to be
isolated, it can be very difficult. And the first thing you hear when you read
kind of the hospital statement or the health care statement is that we have
(25:37):
emergency protocols in place. But those emergency protocols are usually a
pen and paper. Right. They're usually very basic. They're nothing. And
imagine going to a. In emergency room, you're already in a. In a
state of distress. I've worked in ers before in college, and I. I
could tell you firsthand, like, there is. That's not the place that you want to
go ever. Right. And now when you go there and you're already the kind of
(26:00):
level of care disrupted, it's just a scary experience. Even scarier
because you're. Now you're not sure. Nurses are doing hand calculations
about milligram dosage and stuff like that. It can become a very scary situation
very fast. Yeah. And I think in the last, like, 12 months is the first
time that I've can recall reports coming out that are actually
showcasing the impact of ransomware on patient
(26:22):
deaths. So the mortality rate, like, actually proving that
if your hospital gets hit with this, the
likelihood of a patient dying. And that's. That's the first
time I remember actually being seeing that. So it really shows
how much more impactful ransomware has become on
healthcare, you know, in the last handful of years. Yeah. And,
(26:44):
like, that's really honestly what got me interested in being in security
in healthcare, because the, you know, the potential impact
there, it's just. It's such a. It's people's lives. So it's. There's
such a big downside to successful attacks
against health care, especially if it's like, hospital settings where you're actually doing,
you know, urgent patient care versus, like, billing. It's like, it's not
(27:07):
great, but it's not, you know, your data might be leaked. But then when you're
talking about actual patient care, that's definitely. Like, when I was in school,
that's what motivated me to, you know, chat with Matt and to
get in with a health care company on the security side.
That's a great point you just highlighted, Megan. It's. It's kind of the crisis
immediately when there's ransomware is, oh, my gosh, we need to get our
(27:29):
clinic, hospital, whatever, back to normal operating status, of course.
But then you have kind of that N plus one day. Is that okay?
The company didn't pay the ransom. Now, all of our medical records, depending
on. I mean, we've seen Just horrible stuff. Like just the
level of detail that some of these threat actors will go to in order
to monetize these operations. And okay, the hospital
(27:52):
doesn't want to work with us. How about the patients? Now we're going to give
the patients the opportunity to delete their data. We're going to. Before we just release
it. And like the. Imagine what a hospital would have on
you. They're probably collecting all of your medical records across all of your
different doctors that you've ever seen. And that's not necessarily a bad thing. That's how
they're going to ensure that you have the best quality of care. Right. They want
to know everything about you, but at the same time, they know everything about you.
(28:15):
They know if you've ever had some kind of, like, stay for some kind
of mental distress reason, something like that. And this stuff can be really damaging
if it's just publicly release. Luckily, I think a big thing right now is
that releasing this stuff on the dark web, it's still kind of. Unless you're like
a journalist or someone who's really interested or obviously a threat actor,
it's still a little bit difficult. It's not a super easy barrier to
(28:38):
entry to actually view some of this data that's released. But
I think with the rise of, not to use the buzzword, AI, you're
going to start seeing. It'd be silly to think that within the next couple years
there could be kind of large language models trained on this vast amount
of public data out there. And then you could just type in some malicious chatbot,
Hey, I want Matt Mox or I want Megan's entire, like,
(29:00):
rundown. What websites have they been attacked from? What information
can you tell me about? And then all of that, of course, is just going
to get monetized and used right, against us all. So it's. Yeah,
it's. It's a very, A very sad situation, especially when it comes to medical.
That's one of the few things that we have left. Now that all of our
passwords are on the dark web, our Social Security numbers are. That's still like
(29:20):
ours. You know what I mean? Well, this has been a great conversation,
Jeffrey. I know. I learned a lot about
ransomware and the work that you do. Just incredible. Well,
I want to say join us next episode as we discuss more security
challenges impacting healthcare and discuss practical ways
to address them. Is there anything else, Jeffrey, you would
(29:43):
like to add here at the end? No, I would just say any company
that's listening, this talk is not designed to scare
anybody. That's not what I'm trying to perpetuate here. It's really just being
knowledgeable as companies and also as patients. I'm a patient
too, you know what I mean? My dad is probably out there on the dark
web from a hospital or some kind of healthcare entity that's been listed. So
(30:04):
we're all in this together as human beings. And that's why I
think Matt, Megan and myself can agree we're on this front line
as defenders in preventing this kind of stuff. And that's something that gets me excited
every day. So, yeah, that's really all I have. Yeah. And thanks for
joining us, Jeffrey. This has been fantastic. And if anybody out
there has any questions or feedback, feel free to reach
(30:27):
out. We'll have the contact info in the show notes.
We'll also have a link to feedback form. So if you
have any questions there or if you're interested in being a guest,
please fill out that as well. Yeah. And don't forget to lock the back
door.
Foreign.
Welcome to Shut the Back Door, brought to you by Redox. Shut the
Back Door is a healthcare security podcast dedicated to keeping
health data safe one episode at a time. I'm your
host, Jody Mayberry, and this episode we have
two familiar voices and a guest, of course. We've got
(00:22):
Megan McLeod. Hello, Megan. Hi, Jody. Nice to be here again.
It's great that you're back. Well, speaking of back, we've got Matt
Mock. Matt, it's great to have you back with us. Yeah, thanks, Jody.
Great to be here. Well, you know, Matt and Megan are with Redox, and
our special guest is Jeffrey Bell, a security
researcher for catching fish. Jeffrey, it's
(00:45):
great to have you with us. Thanks so much, Jody. Excited to be here.
Well, there is a reason Matt and Megan
wanted you to join us, and that's to talk about
ransomware. And I admit this is something I don't know
a whole lot about yet, so I'm. I'm excited about this conversation. Can
you explain what is ransomware and how
(01:07):
it can be so damaging to companies and clients?
Yeah, definitely. So ransomware kind of stems from the word malware,
right? So malware could be anything malicious, Right? That mal.
And malware stands for malicious. Right. So ransomware, as
we kind of talked about, stands for something being held for ransom. Just like
how it used to work in the old days where something was either
(01:30):
held for ransom, whether it be a bounty, a person, et
cetera. Now your files are being. Or your data is being
held for ransom. So historically. And
ransomware first started off as being encryption, right? So your
files will be encrypted on your computer. That's really very
bad. Right, of course. But now we're seeing ransomware take different forms
(01:51):
instead of actually that encryption on your computer, we just see the
exfiltration. So not always in the case, but a lot of
ransomware groups, these threat actors that perpetuate this ransomware and
steal data, they don't really care about encryption as much as they used to. They
find it a lot easier just to steal the actual information on your computer.
Your files, your videos, anything you're really working on.
(02:13):
And they'll upload that to their own kind of databases and then hold it for
ransom, of course. So I just wanted to have that discrepancy and notate
that because you'll see, as we're talking, a lot of times we might say something's
exfiltrated, something was encrypted. You know what I mean? And while
they both refer to the act of something being ransomed,
there's some variance in those two definitions. Well, how
(02:35):
did you get interested in this? Because this. This
is not a. A common thing. I guess someone grows up and says, I can't.
I can't wait to help people out with ransomware. Yeah,
it's definitely. It's. It's been some interesting conversations with my friends
and family. My girlfriend still, I think, is confused about what I do. But, yeah,
I. I've always been interested in. In kind of how things get
(02:57):
broken, how people break into things. I've always
kind of tried to find exemptions for. For just how the world
works, how. How can I get around it, how can I break it, that kind
of stuff. And I think ransomware really selfishly fits a lot of that. For me,
it's just such a fascinating thing that someone is losing kind
of ownership of their own files. What's supposed to be kind of only for
(03:19):
one person is now stolen and either don't have access to
it, or someone else could have access to it and then sell that thing.
Yeah, it's just. Has always really interested me ever since I really started
cybersecurity. And I think ransomware kind of showcases
that there's this really big, really stark divide that exists right
now in terms of the data that we all have. Our personal files,
(03:41):
our personal family photos, all this kind of stuff. It's not
really ours. It might be living on our computer, but in
terms of ownership, it's really just like the expression goes, in the eye of the
beholder, in the eye of the holder. In this case, whoever holds that data,
it might as well be theirs. Yeah, that's. That's super interesting. Is there
a, like, specific ransomware attack or story
(04:04):
that kind of, you know, maybe got your attention early on
or that, you know, you point to as
being somewhat influential in your research? Yeah, Megan, that's a
great question. Two things that come to mind are the Las Vegas
ransomware attacks. And also, I live on the east coast, and
when I was actually still in college, the Colonial Pipeline ransom
(04:26):
happened. So one starting with the Colonial
Pipeline, I saw that directly impact my life. I saw gas
stations around me. I saw lines like I've never seen
before. Like it was the gas crisis in, like, the 70s. So that
was pretty stark. Definitely made me think, like, how could the system
be so brittle that an encryption on the device could have this
(04:48):
effects that could stretch all the way up the east coast and then the Las
Vegas casinos, not really for the attack itself. The images,
of course, were so interesting to see, like casino displays
just Completely like blue screened. That was really fascinating to
see, but also I would think how the attack actually perpetuated. Because
the Las Vegas attacks weren't some example of some zero day
(05:10):
vulnerability on a system, some mastermind criminal. It really
was a case of social engineering. These ransomware actors
called up the help desk for one of the Las Vegas casinos,
pretended to be an employee with some kind of level of privilege, convinced the
help desk to reset mfa, reset a password, something like that. And then they
were able to really spread throughout the network and then obviously
(05:32):
deploy ransomware. So the more I think about it, it's not really the
ransomware that really interests me. It's more about what leads up to
it. You know what I mean? A ransomware is just a piece of malware. It's
just a bad software. Right. It went rogue. But everything that leads up to it,
how initial access of these companies, how initial access
is formed at some of these companies, how that spreads all the way via
(05:54):
lateral movement to different servers, different hosts, and then eventually that
impact, that encryption occurs. I think that's really everything
that leads up to it is what's really fascinating to me. And it's kind of
like a race against time. Right. Because the whole time as defenders, we're thinking, okay,
how can I make sure this doesn't happen? What can I deploy to my
arsenal to make sure that everything that leads up to ransomware deployment
(06:15):
prevents it? Right. So it's kind of like a mind game a little bit.
Yeah. And one thing you said resonated, like the initial access
stuff, I always find very intriguing to see how that
happened because I think those outside of security,
they hear about these attacks and I think they're thinking like this
huge operation in most cases, like the old hackers
(06:37):
movie, you know, people are like doing crazy stuff and a
lot of times it's, yeah, someone picks up the phone and just con somebody in
depressing a couple buttons. And though that's not always the case,
but, you know, it seems more often that that's the easier
kind of cheaper way to get in, is to just manipulate a human and you
get in. It's always very curious to see, like, how
(06:59):
that happened and how, how could you spend millions of dollars on security and
one person just bypass all that stuff? So. Yeah, very
interesting. Yeah, that's a great point. So we, we know
your interest in ransomware and how you got there. How did you
narrow specifically to trends in health care? What brought you there?
Yeah, that's a great question, Jodi. So I work for a health Care company. Right
(07:22):
now I'm part of something called Health isac. Health ISAC
is a group of companies that come together to form an information
sharing organization. So what they're doing is they're sharing kind of their daily
life there as a security posture, what's working well, what's not working
well, and along with different threat data. So whether that be indicators
of compromise, this could be like file hashes, these could be
(07:44):
malicious IP addresses, that kind of stuff. But I think the most important thing is
we share our, our war stories, right? So we share what's going well
in our organizations, what we've been fighting against, kind of we share in
our triumphs and failures, right? And that's nice to do that in a
community, of course. And so part of this, when my
company joined Health Isaac, I kind of was trying to find a place, you know
(08:06):
what I mean? There were all these different channels in Slack and I was trying
to find, okay, where, where do I belong? What am I interested in? And there
was this channel in Slack called Ransomware. And I immediately kind
of joined that group, started kind of talking to people, seeing what
they were doing. What I noticed really quickly was people were
sharing ransomware, like ransomware, that it's become an
(08:28):
entire ecosystem, right? So there's a bunch of threat intelligence vendors
who all day, all. Their entire business model is just to tell you
what these different ransomware operators have posted on something called a
dedicated leak site, also known as a data leak site, pretty much
where ransomware operators, whether on the dark web or clear web,
will share what they, who they've attacked and then any data that they've stolen,
(08:50):
right? And like the name suggests, they'll hold that data for ransom within
seven days, either you pay 10 bitcoin, or all this data
is going to be published for the entire world to see, right? So
that was being shared like, okay, this healthcare company just got hit with
ransomware and it wasn't really being tracked. I found it
was kind of just being like a screenshot we posted in the channel. And I
(09:11):
started thinking, this is something easily I can do. Like I have the bandwidth
in my free time, I can just go in and just say, okay,
this ransomware operator attacked this company. And
that's pretty much it, right? And then I started kind of thinking, how can
I actually make sense of this data? Not really helpful to have a
name, right? A name of a company is one thing, a name of a threat
(09:34):
actor is another thing. But really, we need to understand what are these companies? Are
there any kind of overlaps between them. So I went to the path of least
resistance and I just went to LinkedIn. Right. So I looked up a company,
let's say healthcare company. 1, 2, 3. I would look them up on LinkedIn.
Okay. Their classification on LinkedIn is hospitals and healthcare.
Cool. Easy. Add that to the spreadsheet. And originally
(09:56):
I was sharing my data that I collected across all these different entities,
all these different companies that were listed on different dedicated leak sites that the
ransomware operators maintain. And I was really proud of myself. I was like, this
is incredible, like, this is going to be revolutionary. And then I got
really good feedback immediately, like, this is not helpful. And as someone
who hadn't worked in healthcare that long, I realized that the
(10:19):
category hospitals and healthcare is very broad. Right.
Hospitals we all kind of agree with that means, right? More or less. But
healthcare, what is healthcare is healthcare. Your clinic down the street is
healthcare. The insurance is healthcare. The medical billing
is healthcare. And urgent care, like, you start kind of getting all these
questions and you realize that that definition, while it's not LinkedIn's fault,
(10:40):
is like the widest net you could ever like, cast. Like, healthcare is
a vertical, right? You have manufacturing, healthcare, agriculture, like, it's just
another word. So I quickly realized that this is not going to work long term.
So what I did is actually created my own, like, subcategorization
system. So I have 24 different kind of
subcategories that I classify within healthcare. Everything from like
(11:03):
dialysis centers, dentists, specialized clinics,
or specialized care, which would be like cardiology, orthopedics, and
then even things like, of course, hospitals. Right, Insurance.
And then even things as narrow as like telemedicine, a health care
entity that just does telemedicine. Right. So that's where I kind of
took it. I spent a lot of my free time, I spent an entire weekend
(11:24):
just going through a backlog of like 800 different entities, just
trying to use all the research I had at my disposal, which was a
computer. Right. And just trying to find out what was this company deal. The are
companies that aren't on LinkedIn. Okay, so I need to go find
what this company does. Need to find their website. There are companies that you
can't translate into English, so I had to kind of look at
(11:46):
cues on the different websites, try to do ocr, optical
character recognition to translate images that were like static on the
page. So, yeah, that's kind of where it took me. And yeah,
for almost a year I've been maintaining this database of
really subcategorizing all of these different entities that are listed in the
hope to provide more clarity for different
(12:08):
organizations in Health isac. Well, yeah, and I will say that I
know in a previous episode we talk about networking and all of
that insecurity and so Health ISAC we touched on and
that is how we got connected with Jeffrey. So just kind of a
piece of evidence that that stuff does work and that
we are seeing Jeffrey's research and it
(12:31):
is helpful. So yeah, awesome. Thank you, Meg. That's really
obviously like there's no payment, you know what I mean? There's no,
it's just help to help people. Like, I'm not getting paid for any of this.
It's just, I like it. It's interesting to me and I've gotten a really,
a lot of really good feedback that this is helping people. So that's more than
enough for me to continue. Yeah, a couple of things on that is
(12:52):
one, Jeffrey, your stuff is extremely helpful. You know, that's how he started
taking notice. And I'm not aware of anybody else tracking
healthcare to this level, especially on a day to day. Like you'll see other
reports that come out. You know, big companies will post it every year and you
get that at the end. But to see things change throughout the
year and day to day, it's super helpful. I know for myself,
(13:14):
we reference that, we bring it up. It's a great data point. And
the ISAC thing, not to like keep hammering on that, but I think if
you're listening to this and you're a healthcare company in any manner
and you're not part of that, you're missing out, especially from a cost
benefit. It's such a small cost to get in there and it is just
limitless knowledge and connections in
(13:37):
there. It's such a wealth of knowledge. And I think down the road
we do want to do a podcast around that. So stay tuned for more
on that. But if anybody's interested, you know, reach out to any of us too,
we can help make the connection there. I have to say, when I asked you
that question, Jeffrey, I did not expect that
answer of tracking things and creating a database. That,
(13:59):
that's really cool. And I see why people like Matt and
Megan see you as a valuable resource and someone good to
have in their network. Yeah. Thank you, Jody. Yeah, it's, it's really nice to hear
that, that kind of feedback and that's helping people because like Megan
alluded to, like there's, like Megan and Matt alluded to, there's no,
no one's tracking it at this level, you know what I mean? And it's not
(14:20):
exclusive just to health care. Like, I would love to see different members
of different ISACs take the same model and apply it to business
services, financial services, anything like that. Because
it's great to hear. Okay, well, it's not great for obviously us in
healthcare, but it's interesting to hear. Oh, healthcare is one of the most targeted
verticals across all industries with ransomware. Right.
(14:43):
That's. That's knowledgeable. That. That's like an interesting fact.
Right. But then what do you do with that? Like, as a
small rural clinic? What do I do with that information
compared to a mega insurance carrier, one
of like your benefit management platforms or something like that? It's very hard
to. You're looking at the same industry, but the actual
(15:05):
how it's relevant to you is going to be very stark. It's going to be
very different. Well, what does the rest of this
year look like for you? What does 2025 look like when it
comes to ransomware? And do you see any
disruptors coming? Yeah, Jody, that's
something that I was hoping to see this year, and I've yet to see
(15:26):
it. There was a small downturn for a little while in the
earlier first quarter, first and second quarter of 2025, in
terms of rents, and we're targeting health care, but that shot right back up. I
would be lying if I told you that there was any optimism on my part
that it's going to completely subside. I think you
are seeing law enforcement be a little bit more open to
(15:48):
takedowns and stuff like that. I have no doubt they're doing what they can. Well,
unfortunately, it is a booming industry in terms of
ransomware. And we could get on the tangent of there's something called ransomware as a
service. So it's bad enough that there's ransomware, but they've completely democratized
the process and made it very, very easy for anybody to now get in the
ransomware business. You can actually join, just like you would join
(16:10):
Health ISAC as a kind of member. You can join a ransomware
organization as a member. And now kind of part of that subscription
model is, hey, I'm going to attack companies using
the ransomware. Just remember, it's just a piece of software that this
ransomware operator provided to me. Right. So now
I'm armed. I don't have to do any coding. All I have to worry about
(16:31):
is getting this ransomware on as many computers as possible. And even
Chilen is doing that's A ransomware group is even doing, like, classes to
help some of their operators really understand how to deploy,
how to look for weak points in organizations like that. So, and
these ransom operators aren't doing this out of the kindness of their heart. They're getting
the profits. It's usually a profit split of like 70, 30, 80,
(16:53):
20, even 9010 for newer ransomware variants like
Devman. So you're seeing kind of that there's something in it for
everybody here. For affiliates, they're able to really lower their
technical barrier to get into ransomware. And for the operators, now they
get to sit back and relax and just maintain this piece of software. They don't
have to worry about trying to find initial access for this one random company.
(17:14):
Like, it's already there. They're just kind of sitting back, loaning out the software that
they've made to encrypt computers or exfiltrate data, and now they get
to just get the proceeds of that. So usually 70% of the
affiliate gets the money, and then 30% of whatever ransom's paid goes
back to the operator. Yeah, I think one thing, and
this isn't obviously new, but it's kind of like a crazy thing to think of
(17:37):
back in the day. Like, you want to do ransomware, your group has to do
like everything. They got to come up with everything on their own. And now there's
so many of these as a service, you know, if you want to spam, email,
there's a service you can apply for, you know, proxies
as a service ransomware, you can just piece it all together and just
pay for that stuff. And you got your little criminal organization in
(17:59):
a box type deal. And it's just, it's so. I don't. When you explain
to people that outside of, you know, infosec, it's kind of hard for
them to picture like this is a thing. But, you know, it's nuts how it
has really evolved over the years. Yeah, that's
another one that I just didn't see. I did not realize
that there are clubs and affiliates and
(18:21):
memberships you can sign up for all around
ransomware. I guess the membership model works no matter what
business you're in, 100%. And now what you're seeing
lately is that there's. I don't want to say over saturation, but
there's a lot of ransomware operators that operate this kind of model of
ransomware as a service. So now you're seeing competition between different
(18:42):
ransomware groups competing for that kind of those Best affiliates,
those affiliates that are so knowledgeable they know how to get into a network, they
know how to encrypt and they're probably going to attack a company that is in
a position to get paid. Right. So you're seeing like kind of a war between
different ransomware groups to actually attract that best talent. And they're
offering, I just mentioned earlier, the split used to be 80, 20,
(19:04):
but now you're seeing some ransomware operators give out kind of
best deals to some of their favorite affiliates. Like no, actually we'll do 90,
10 for you, 90% for you, 10% for me, 95, 5.
Like all of this kind of crazy stuff just to attract the best talent. So
it's kind of like a war. There's a lot of ransomware groups that have
emerged, not all of them stay around for that long, but they're all are
(19:26):
back with this promise. They'll say the same thing, that we're going to make sure
you make the most amount of money as possible. And that's really alluring. Yeah.
So like thinking about, I mean that's kind of, you know, a trend that you're
seeing. But then are there other, I don't know, trends in
the healthcare space like within ransomware in
addition to those kinds of things? Yeah, Megan, exactly. So
(19:47):
I'm looking at a chart right now of those DLS operators,
these different kind of ransomware operators who has posted the
most healthcare entities this year? Right. So right now it's neck and neck
between Ink Ransom and Qilin. That's spelled Q I
L I N. So these two ransomware operators have almost
by double attacked the most amount. So Inc Ransom
(20:09):
attacked 47 healthcare entities and Chilen 48.
And the next closest is safe pay at 22, you know what I mean?
So it's very stark. Ransom hub for a long time was was right up
there and then they went dormant, inactive. We're still trying to kind of
understand exactly what happened with them, but you can see there's no
downtime. Like the moment affiliates of one ransomware operator,
(20:31):
that ransomware operator either gets taken down by law enforcement
or just decides to do an exit scam or go dark. These affiliates,
they're trying to make money, right? This is like their livelihood. So they're going to
just go to the next, next best operator. Next best operator and you
even see double dipping. Sometimes you see affiliates,
they'll do a little bit with one ransomware operator and another
(20:52):
with another bit of encryption with another one. So
it's really interesting and let me actually get you some details regarding what
entities have been most targeted. So so far the
top three would be hospitals, clinics and specialized care.
All 40 or over entities listed on these different
ransomware operators data league sites this year. And like I mentioned earlier,
(21:15):
specialized care, that could be anything from your neurologist, that could be
a gynecologist, orthopedic, all of these kind of things. And in our
kind of healthcare system in the United States, those can be everywhere. Right.
So I think a lot of that reason that specialized care is number one is
because there are so many. But, but what's really surprising is hospitals. Hospitals
historically don't really make up a ton of ransomware
(21:37):
posts. Right. They obviously get a ton of attention. But if we're looking
back, like let's say from 2023, let's look at every. All the
posts from 2023 on healthcare wasn't as
prominent as it was compared to something like specialized care. But now you're seeing
hospitals become a lot bigger target. And I think that speaks to a couple of
things. I think a lot of times hospitals are the most newsworthy event.
(21:59):
When a hospital gets taken down, it's going to be on every. On the local
news. Depending on the size of the hospital, it might be on the global news.
And also depending on where the hospital is located, it might be underfunded.
There might be different kind of sites of that hospital. Hospitals a lot of times
are part of health systems. So they'll acquire maybe a clinic, right.
Or maybe they'll acquire another smaller rural hospital or something like
(22:21):
that. So the sprawl of these hospitals can be gigantic.
And then it just takes one entity that might have some kind of trust to
that main hospital network. Do you think with the hospital
targeting, is it that they are targeting the hospitals themselves
or is it because they're connected to all of these other things
and it's moving like laterally through to the hospital or is
(22:42):
the initial target the hospital? Yeah, that's a great question, Megan.
And that's something that we've seen as different chats are
leaked between different ransomware operators. There's always that kind of. That's what everyone.
I would say that's the number one thing people want to know, like, is my
hospital being targeted? And I use the word targeted very
carefully because they don't really care who they target at the end of the day.
(23:03):
We have seen some isolated examples of ransomware
operators like Chilen directly saying that we want to target healthcare.
Right. A lot of times this is because they think healthcare is more likely to
pay. But in terms of hospitals actually being
targeted, I don't think I can say that right now. That's just not, not what
I'm seeing. I haven't seen the evidence to it. But also, like, it's not out
(23:24):
of the realm of possibility that they think that's the most profitable way
to actually monetize the malicious actions that they're doing. And with,
like, hospital ransomware. Have you seen, like, in
any of your research, I don't know, kind of like the fallout from that? Cause
I know like, one of the things that got me interested in ransomware
was looking at, and I can't remember the specific incident, but a hospital
(23:47):
overseas had been targeted or, or not necessarily intentionally
targeted, but then was part of a ransomware situation. And I know
that someone who was supposed to be getting care at that hospital was not then
able to and in transport to another hospital ended up not making
it because of the inability to get quick care. So
I'm, I guess I'm curious if that also is like a trend that
(24:08):
if we're not seeing now, if, if we could start seeing actual
issues with, you know, not just quality of life, but actually
the ability to sustain life in some of these hospitals as well. As
ransomware gets bigger. Yeah, I mean, I would not put
it. I mean, these are people, of course, but they're also criminals. What they're doing
is, is a crime, of course. So, yeah, I wouldn't say it's out of the
(24:31):
realm of possibility that in order to monetize their tactics
that they're going to choose something that would be the most impactful
because they're just looking for, how can we disrupt the most amount of business
to make sure that that company has no choice to pay? Even if it's outlawed.
Right. Even if rental payments are outlawed, like, there's always going to be that back
door and a way to pay. Right. That's just kind of how it works. Like,
(24:53):
look at prohibition, right? Like, it's. If there's a market for something and someone
feels like they're up against a wall, they have no choice. Like, it's very
possible. I think patient care is something that continues to
be, Is going to be impacted as this continues. I mean,
usually the first thing is that all the systems are, as a precaution,
the hospital, the healthcare entity, will kind of shut down everything. And
(25:16):
depending on what that company does, that could have obviously detrimental
impacts. We all know healthcare is intertwined with
information technology. Like, everything's connected to some kind of network.
Everything is being at some kind of monitor screen. So if everything has to be
isolated, it can be very difficult. And the first thing you hear when you read
kind of the hospital statement or the health care statement is that we have
(25:37):
emergency protocols in place. But those emergency protocols are usually a
pen and paper. Right. They're usually very basic. They're nothing. And
imagine going to a. In emergency room, you're already in a. In a
state of distress. I've worked in ers before in college, and I. I
could tell you firsthand, like, there is. That's not the place that you want to
go ever. Right. And now when you go there and you're already the kind of
(26:00):
level of care disrupted, it's just a scary experience. Even scarier
because you're. Now you're not sure. Nurses are doing hand calculations
about milligram dosage and stuff like that. It can become a very scary situation
very fast. Yeah. And I think in the last, like, 12 months is the first
time that I've can recall reports coming out that are actually
showcasing the impact of ransomware on patient
(26:22):
deaths. So the mortality rate, like, actually proving that
if your hospital gets hit with this, the
likelihood of a patient dying. And that's. That's the first
time I remember actually being seeing that. So it really shows
how much more impactful ransomware has become on
healthcare, you know, in the last handful of years. Yeah. And,
(26:44):
like, that's really honestly what got me interested in being in security
in healthcare, because the, you know, the potential impact
there, it's just. It's such a. It's people's lives. So it's. There's
such a big downside to successful attacks
against health care, especially if it's like, hospital settings where you're actually doing,
you know, urgent patient care versus, like, billing. It's like, it's not
(27:07):
great, but it's not, you know, your data might be leaked. But then when you're
talking about actual patient care, that's definitely. Like, when I was in school,
that's what motivated me to, you know, chat with Matt and to
get in with a health care company on the security side.
That's a great point you just highlighted, Megan. It's. It's kind of the crisis
immediately when there's ransomware is, oh, my gosh, we need to get our
(27:29):
clinic, hospital, whatever, back to normal operating status, of course.
But then you have kind of that N plus one day. Is that okay?
The company didn't pay the ransom. Now, all of our medical records, depending
on. I mean, we've seen Just horrible stuff. Like just the
level of detail that some of these threat actors will go to in order
to monetize these operations. And okay, the hospital
(27:52):
doesn't want to work with us. How about the patients? Now we're going to give
the patients the opportunity to delete their data. We're going to. Before we just release
it. And like the. Imagine what a hospital would have on
you. They're probably collecting all of your medical records across all of your
different doctors that you've ever seen. And that's not necessarily a bad thing. That's how
they're going to ensure that you have the best quality of care. Right. They want
to know everything about you, but at the same time, they know everything about you.
(28:15):
They know if you've ever had some kind of, like, stay for some kind
of mental distress reason, something like that. And this stuff can be really damaging
if it's just publicly release. Luckily, I think a big thing right now is
that releasing this stuff on the dark web, it's still kind of. Unless you're like
a journalist or someone who's really interested or obviously a threat actor,
it's still a little bit difficult. It's not a super easy barrier to
(28:38):
entry to actually view some of this data that's released. But
I think with the rise of, not to use the buzzword, AI, you're
going to start seeing. It'd be silly to think that within the next couple years
there could be kind of large language models trained on this vast amount
of public data out there. And then you could just type in some malicious chatbot,
Hey, I want Matt Mox or I want Megan's entire, like,
(29:00):
rundown. What websites have they been attacked from? What information
can you tell me about? And then all of that, of course, is just going
to get monetized and used right, against us all. So it's. Yeah,
it's. It's a very, A very sad situation, especially when it comes to medical.
That's one of the few things that we have left. Now that all of our
passwords are on the dark web, our Social Security numbers are. That's still like
(29:20):
ours. You know what I mean? Well, this has been a great conversation,
Jeffrey. I know. I learned a lot about
ransomware and the work that you do. Just incredible. Well,
I want to say join us next episode as we discuss more security
challenges impacting healthcare and discuss practical ways
to address them. Is there anything else, Jeffrey, you would
(29:43):
like to add here at the end? No, I would just say any company
that's listening, this talk is not designed to scare
anybody. That's not what I'm trying to perpetuate here. It's really just being
knowledgeable as companies and also as patients. I'm a patient
too, you know what I mean? My dad is probably out there on the dark
web from a hospital or some kind of healthcare entity that's been listed. So
(30:04):
we're all in this together as human beings. And that's why I
think Matt, Megan and myself can agree we're on this front line
as defenders in preventing this kind of stuff. And that's something that gets me excited
every day. So, yeah, that's really all I have. Yeah. And thanks for
joining us, Jeffrey. This has been fantastic. And if anybody out
there has any questions or feedback, feel free to reach
(30:27):
out. We'll have the contact info in the show notes.
We'll also have a link to feedback form. So if you
have any questions there or if you're interested in being a guest,
please fill out that as well. Yeah. And don't forget to lock the back
door.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Special Summer Offer: Exclusively on Apple Podcasts, try our Dateline Premium subscription completely free for one month! With Dateline Premium, you get every episode ad-free plus exclusive bonus content.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.