Russians who deployed ransomware against hospitals are charged
The US Department of Justice said the nine individuals named in last week’s indictments used the Conti ransomware variant to attack more than 900 victims worldwide – including hospitals, healthcare providers and their patients – affecting critical infrastructure in approximately 47 states, the District of Columbia, Puerto Rico. Rico and about 31 other countries.
WHY IT MATTERS
According to the FBI, Conti ransomware was used to attack more critical infrastructure victims in 2021 than any other ransomware variant.
The Southern District of California charges Maksim Galochkin, “aka Bentley,” with three counts of computer hacking, alleging he “caused the transmission of the Conti malware and impaired the medical examination, diagnosis, treatment, and care of one or more individuals’.
If convicted, he faces a maximum prison sentence of 20 years. He also faces a maximum sentence of 62 years for ransomware crimes in Ohio and 25 years for crimes in Tennessee.
He is charged with one count of conspiracy to violate the Computer Fraud and Abuse Act and one count of wire fraud conspiracy in Tennessee for exploiting a sheriff’s department, a police department and local emergency medical services.
Galochkin is one of nine defendants who the Northern District of Ohio alleges developed, deployed, managed and profited from the malware known as Trickbot, of which Conti is an offshoot. The charges consist of one count of conspiracy to violate the Computer Fraud and Abuse Act, one count of wire fraud conspiracy, one count of conspiracy to launder the proceeds of the scheme and an enhancement for falsely recording domains.
“The conspirators who developed and deployed the Conti ransomware victimized businesses, governments, and nonprofits around the world,” Henry Leventis, U.S. Attorney for the Middle District of Tennessee, said in a U.S. Department announcement on Thursday. of Justice.
The indictment against Tennessee calls Galochkin a “crypter” for Conti and says he allegedly modified the ransomware so that it would not be detected by antivirus programs.
Two weeks ago Wired published one Trickbot exposed looking at investigation into the Conti ransomware gang based on a March 2022 Twitter leak from an account known as Trickleaks of alleged online chat logs of about 35 members. That dump published 250,000 internal Trickbot messages and intelligence files containing 2,500 IP addresses, 500 cryptocurrency wallets, thousands of domains and email addresses, names and photos, social media accounts, passport numbers, phone numbers, places of residence and other personal data, exposing those involved in the operations.
Galochkin’s alleged handle Bentley had an account with the now-defunct Hydra Russian-language dark web marketplace and made multiple deposits that were “likely to purchase tools for hacking,” according to Jackie Burns Koven, head of cyber threat intelligence at the firm Chainalysis. who spoke to the publication.
She said tracking Bentley’s digital transactions details its interactions and collaborations with other Trickbot and Conti members.
Conti appears to have functioned as a software company, with Galochkin essentially acting as a lead developer of malware products overseeing the deliverables and an estimated twenty or more direct reports who may have done the actual “cryption.”
Javed Ali, an associate professor at the University of Michigan’s Ford School of Public Policy and former senior director of counterterrorism at the FBI’s National Security Council, reportedly told ABC news On Friday it became clear that it is unlikely that the Russians accused by Conti will ever be brought to justice.
But the official charges show how the US continues to use its law enforcement investigations and criminal prosecutions as a policy tool, he said, according to the report.
Such sanctions limit accused cybercriminals’ ability to travel outside Russia, while potentially restricting their access to financial institutions in the United States, United Kingdom and around the world, said Will Lyne, head of cyber intelligence at Britain’s National Crime Agency . Wired.
The DOJ’s announcement could also dim the shine of suspects in the crime world.
“We know that ransomware actors value their anonymity, so exposing their identity through sanctions impacts their reputation and relationships within the cybercriminal ecosystem,” Lyne added.
According to investigators, Galochkin is publicly linked to four Russian companies where he was a founder or corporate director, including a company that reportedly provided digital transformation services to local governments in Russia.
The FBI’s San Diego office, with support from field offices in Memphis and El Paso and the U.S. Secret Service, is leading the Conti ransomware investigation, while the Middle District of Tennessee and the Southern District of California are leading the prosecution.
The FBI Cleveland Field Office is leading the Trickbot malware investigation, while the Northern District of Ohio is leading the prosecution.
The Justice Department’s National Security Division assisted in the investigation of both the Conti ransomware and the Trickbot malware, the DOJ said, noting that Trickbot malware developers Alla Witte and Vladimir Dunaev had previously been charged and arrested.
THE BIG TREND
The Scripps Health attack by the Conti ransomware affected the medical care of 150,000 patients in a neighboring healthcare system that was not affected by the attack, according to a study. JAMA Network study in May, which evaluated patient records from an emergency department that handled Scripps patient diversions after the attack halted operations.
This attack and any ransomware attack could shut down hospital operations for an average of four weeks or more and cut off access to vital patient information.
John Riggi, national advisor on cybersecurity and risk for the American Hospital Association, advises on emergency planning – both locally and regionally – and leverages resources such as mutual aid agreements to ensure patient care for those affected by ransomware attacks is retained.
“Business continuity is not the same as clinical continuity, and we must be prepared to continue operations for up to four weeks,” he told a packed audience during his keynote address at the start of the HIMSS Cybersecurity Forum in Boston last week.
Dr. Christian Dameff, medical director of cybersecurity at the University of California San Diego and author of “Ransomware Attack Associated With Disruptions at Adjacent Emergency Departments in the US” studyshared best practices to bring all healthcare workers to the table to talk about how their daily cyber hygiene practices can ultimately protect the quality of care.
Reaching employees to address phishing emails – an example he kept coming back to in a discussion about building a security-focused culture – requires “pruning and active engagement,” he told forum participants.
“Developing that kind of cultural drive requires attention to detail and mixing messages, different types of media, connecting people where they are and in the languages they speak,” he advised.
ON THE RECORD
“The indictment alleges a callous disregard for the medical care and personal information of residents of the Southern District of California,” Acting U.S. Attorney Andrew Haden for the district said in the DOJ statement.
Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.