Ferhat Dikbiyik 00:00:00 They shut down these big major players. But it's like fighting with Hydra, right? You cut off one hat. Two heads comes up.

Keith Reynolds 00:00:15 Welcome to Off the Chart A Business of Medicine podcast featuring lively and informative conversations with healthcare experts, opinion leaders and practicing physicians about the challenges facing doctors and medical practices. I'm your host, Keith Reynolds, and this week we feature a conversation between Medical Economics managing editor Todd Shryock and Ferhat Dikbiyik chief research and intelligence officer at Black Kite. They're talking about cybersecurity and the evolving structure and threat of ransomware gangs.

Todd Shryock 00:00:49 I'm here with Ferhat Dikbiyik, the chief research and intelligence officer at the cybersecurity firm Black Kite, to discuss her latest report on ransomware. So according to the report, attacks in health care were up 32% from 2023 to 2024. Why did that surge happen?

Ferhat Dikbiyik 00:01:11 That surge happened because of the the shifts and dynamics of the ransomware cybercrime ecosystem. We know that there were these major ransomware groups in 2023, like Lockheed or Rafi, and they they are working with affiliates and they are, advising their affiliates not to target healthcare institutions or nonprofit organizations.

Ferhat Dikbiyik 00:01:33 If they didn't listen to them and attack these institutions. They published apologies in some sort of a twisted PR move or marketing move and providing free decryptor to those companies. But after the law enforcement agencies attack, in January, February, especially the operation Kronos was very successful. Those operations took Look down at these major ransomware groups, and now the affiliates have more power in that ransomware ecosystem. And in the past, it was more like a ransomware as a service provider driven ecosystem. But it is more like an affiliate driven ecosystem now. And after all these law enforcement agencies attacks and everything, these affiliates, they got pissed. They said that everything everybody started, we don't care if it's a health care institution or anything, and they start to see this healthcare institution as a low hanging fruit. There is no that twisted code of conduct anymore, and they can attack and get money. And the attack to change healthcare was kind of like a turning point. when that happened, the group behind the attack called black Cat, also known as Alpha, they didn't pay the commission to their affiliate, and they exit the cybercrime ecosystem and the affiliates.

Ferhat Dikbiyik 00:03:01 They don't want to be in that position again. And there are different ransomware groups. They change the business model in that ransomware cybercrime ecosystem, saying that, hey, now you get the money first and I will get my commission later. So they changed the the business model. And they start to offer a very high percentage commission to affiliates like 90% to 90% commissions. Now affiliates have more power. They have more decisions to, you know, to select who to target. And now they are targeting anywhere because they don't care. They just want their money.

Todd Shryock 00:03:39 How do these affiliates work? I mean, they sound like contracted workers, like a normal company would use. What are they and how are they organized?

Ferhat Dikbiyik 00:03:49 Well, these are usually like in, in, In countries that they. They want money very quickly. They look up to, you know. Previous, these, you know, ransomware players and how much money they, they earned. And they are looking up to them. They are, of course, young kids, but we are not talking about, like, middle aged.

Ferhat Dikbiyik 00:04:12 So middle school kids or high school kids, we are talking about, the kids in the age of 1920s. the young adults actually, and now these ransomware groups, they have they they have a service called ransomware as a service, in their blog post or in the, in the forms they published, you know, these affiliate programs saying that, hey, if you join us, I will provide you this ransomware is a weapon that you can target, you know, these, companies. And when you have a successful attack, I will negotiate the, the, the ransom and then I will pay you a commission. So it's the that's like a, MSP. MSP partner for, you know, for for certain cybersecurity vendors. So it's like a partner kind of a business relationship between the athletes and the providers.

Todd Shryock 00:05:04 Like how many of these affiliates would a would a ransomware gang employ? Does anybody know?

Ferhat Dikbiyik 00:05:11 We know that the lockpick they worked for, they work with hundreds of affiliates. I think the real number is about 140.

Ferhat Dikbiyik 00:05:20 But currently there are, 60 ransomware groups. they are active. They they publish it, this one with them. Even if you think that they work, on average ten affiliates, that will become 600 athletes. I'm sure that the real number is much more than that.

Sydney Jennings 00:05:41 Say, Keith, this is all well and good, but what if someone is looking for more clinical information?

Keith Reynolds 00:05:46 Oh, then they want to check out our sister site, Patient Care Caroline, the leading clinical resource for primary care physicians. Again that's patient care online.com.

Todd Shryock 00:06:01 So with this change in the kind of culture of ransomware, it seemed like most of the attacks in the past were targeted at these large corporate entities. But the report notes that like smaller medical practices are now at risk. I talk a little bit about that. Like how much risk is there to these smaller players now that so much has changed?

Ferhat Dikbiyik 00:06:26 When we look into all these ransomware victims in the healthcare industry, we realized that 22% of them are the large hospitals, but 25% are the offices of physicians.

Ferhat Dikbiyik 00:06:38 These are no small practices. And the reason behind that these affiliates, they are okay with getting out with, you know, small ransoms, maybe like $50,000, $100,000, and they can get that much money from these offices. Because imagine that you are a single doctor. You have, you know, some, employees, within your office and you got hit by ransomware. You cannot schedule appointments. You cannot prescribe any medicines. How long you can stand with that? And you you don't know these, you know, cybersecurity work much. You are always in the medicine. It's not a large, you know, corporate behind you. And the only thing that you know that you need to pay the ransom as soon as possible to get your practice back and run your office. So these athletes, they know this, this pressure on these, offices of doctors and they, they, you know, target them a lot. Of course, they target the big healthcare institutions as well. but big healthcare institutions, now, they know that they shouldn't pay.

Ferhat Dikbiyik 00:07:43 They know that there are rules like hyper regulations and other things behind the scenes. And in fact, I think it was today UK they ban they are proposing to ban schools and hospitals to pay ransoms. So the government regulate these, you know, big healthcare institutions and these ransomware groups, they now use several tools to understand the ecosystem that they target. And they know that if the hospitals don't pay the ransom, they don't target the hospitals, but they target these small clinics.

Todd Shryock 00:08:17 I know there's been some talk of that in the United States of just banning, the payment of ransoms to these these criminal organizations, in your opinion, does does that help or does it not matter what what are your thoughts on that?

Ferhat Dikbiyik 00:08:33 Well, it's quite speculative, to be honest. Of course. You know, we shouldn't, fund these, these organizations because when you find them, when you pay the ransom, then they have more infrastructure to, you know, attack more of the critical infrastructure of the countries. But on the other hand, there's a pressure that I can understand on the victims that they cannot operate, when nothing, nothing, nothing, nothing works.

Ferhat Dikbiyik 00:09:01 Right? So of course they shouldn't pay. But banning the payment put extra pressure on the victims, right? They don't know what to do. So if you need to put an alternative. Okay. Don't pay. I will help you by providing some, you know, some sort of an insurance, some sort of a, you know, help that something happened to you. I will help you without some sort of assurance like that. The only option for those, victims, they are under pressure and losing money every day. That the one option is just paying the ransom. And we should understand that psychology before putting policies like that.

Todd Shryock 00:09:46 One thing that stood out in the report to me was the change in how their demands are presented. In the past, there was more time to negotiate. Now it seems like there's a lot more pay now or else.

Ferhat Dikbiyik 00:10:01 Well, the reason behind it that, you know, in the past we had these major ransomware players. They have good infrastructure, they have resources, they have these negotiation panels, they have call centers and everything.

Ferhat Dikbiyik 00:10:15 but most of the top ten players, ransomware players today, they didn't exist last year. So these are all new players. They don't have enough resources to build up these negotiation panels and everything. That's one thing. The other thing is that especially after the after, healthcare incident, they don't want to lose time. They just want to get their money. Another statistic that we have, which is not in this report, but in another report that we measure the time difference between two consecutive ransomware attacks to the same victim a year ago. The time difference was six months apart, one year apart, eight months apart, and so on. But now it is five days apart. Seven days apart. The reason behind is that an affiliate, they deploy a ransomware from one ransomware group. If they don't get their commission very quickly, they deploy another ransomware from another ransomware group. So the patience of affiliates to give, to be, to, to get paid is getting shorter and shorter. That's why there's no time to negotiate the money.

Ferhat Dikbiyik 00:11:17 They just want to get the money as soon as possible.

Keith Reynolds 00:11:24 Oh, you say you're a practice leader or administrator. We've got just the thing. Our sister site, physicians practice your one stop shop for all the expert tips and tricks that will get your practice really humming again. That's physicians practice.

Todd Shryock 00:11:42 Why can't law enforcement stop these groups if they're. They're so organized. They're so big, it seems like they'd be easy to find. Why can't they be stopped?

Ferhat Dikbiyik 00:11:53 That requires a very good international collaboration. Actually, we had that during the Operation Kronos in January. February 2024. all these, you know, law enforcement agencies from UK, from us, from Germany, they cooperated in a very good way. And they, shut down major players, dark web, blocks. They turned some of the affiliates into their site, and they got too much information. And after all this effort, they shut down these big, big, major players. But it's like fighting, with Hydra, right? You cut off one head.

Ferhat Dikbiyik 00:12:33 Two heads comes up. So now there are new players you have. It's an ongoing battle. It's not like a one hit and you are done with it. That's the difficult part.

Todd Shryock 00:12:43 Are most of these groups in Eastern Europe or where are they located?

Ferhat Dikbiyik 00:12:49 Culturally, they are located in Eastern Europe or Russia. some in China. they are not politically motivated, but but they were raised in a culture that they hate the Western culture. but when it comes to money, they don't care. They they attack everybody. of course there are no, no countries for them. They don't want to, get the attention of certain governments. but in the last year, we start to see affiliates in Western countries, in fact, the biggest attack in the entertainment industry, was MGM resorts attack. And the affiliate behind that attack is in one member in the US, if I remember correct. The other ones in UK, and the speculations in the hacker companies that these are for blackhat ransomware group. They actually wanted to get rid of these Western affiliate affiliates and they they did this exit scam because of those, you know, breaking ties with those affiliates.

Ferhat Dikbiyik 00:13:54 They don't want to work with Western affiliates. But there is this trend that we start to see that in. Even in the Western countries, these young minds, they want to get money very quickly. They start to be involved in, these these, cybercrime activities. but they are mostly in East Europe or Russia or China.

Todd Shryock 00:14:17 Now, how does a cybercriminal in, say, Russia find a small medical practice in the Midwest, in Iowa, of the United States? Like how do they find them to even know to attack their server?

Ferhat Dikbiyik 00:14:35 So we see that the number one attack vector is exploiting vulnerabilities in certain softwares and products. Right. You can, have a scan for vulnerable products globally after you have that vulnerable product list, you know that which companies are using it. There are a few ransomware groups. They do a spray attack. They attack everybody here. And these, you know, companies, these small clinics might be one of them. The others, they use some sort of sales intelligence tools or marketing intelligence tools to get more information about those targets.

Ferhat Dikbiyik 00:15:09 And when they realize that it's a small clinic, they know that they can put more pressure because of, certain things. And they, they select based on those criteria that they have.

Todd Shryock 00:15:22 Do you expect healthcare to continue to be a prime target for cyber criminals?

Ferhat Dikbiyik 00:15:29 I believe so. because again, that twisted code. Code of conduct is not there anymore. And, they published a report, I think yesterday, the biggest health care database in 2024, they put 13, incidents. Six of them were ransomware. So we start to see more and more ransomware. And if you look into the reported ransomware instance, they are also increasing, 110% more than last year. So this trend will go up. of course, the number one industry is still manufacturing. Then it is, technical and professional services. Number two and healthcare is number three. But healthcare is only 8% now. I believe it will, exceed the 10%, in 2025.

Todd Shryock 00:16:20 So what can a small medical practice do to protect itself against these very sophisticated cyber attacks?

Ferhat Dikbiyik 00:16:29 It is important to be proactive in these cases.

Ferhat Dikbiyik 00:16:33 they need to work with a cyber security company. Of course. or some get some sort of a service. And to understand the risk, going on there. If they couldn't get shut down for one week or one month. What will be the cost? And considering that cost, they need to invest some money on the cyber security side. And they need to get, of course, cyber insurance. And that might cover the ransomware, problems. And they need if that happens they need to they need to get in contact with FBI and other law enforcement agencies right away in that second, because I know that the FBI, they put so much effort on preventing these things, helping victims. they shouldn't think that this should be a hush hush thing. They shouldn't, you know, inform anybody because these ransomware groups put their name on, these ransomware groups dark web blog posts. Anyway they will. Their name will be there and everybody will know that. So they shouldn't think like, hey, if I pay.

Ferhat Dikbiyik 00:17:37 Nobody will know and I will get my practice back. That shouldn't be the case. And they should, of course have backups of all the systems they have. If they don't want to face these situations.

Todd Shryock 00:17:51 Is phishing still the main way that they're there they're getting in? Or has that changed?

Ferhat Dikbiyik 00:17:56 Phishing is, based on our, analysis. Number two, it's still very dominant exploiting vulnerabilities. Number one, phishing is number two, but it is very difficult to decouple. Then the you know, these groups, they use them together. mostly for small clinics probably phishing is is the number one for large healthcare institutions, exploiting one vulnerabilities. Number one attack vector.

Todd Shryock 00:18:20 Okay. So a small, practice should make sure its employees are trained on being able to recognize some of the common fishing methods?

Ferhat Dikbiyik 00:18:30 Yeah, definitely.

Todd Shryock 00:18:31 Okay. Anything else that you would like to mention about the report that we haven't talked about?

Ferhat Dikbiyik 00:18:37 I think we covered most of the things. but I just want to emphasize that, you know, health care, risk, is increasing and we will see more.

Ferhat Dikbiyik 00:18:49 So we need to stop that before it happens. we need to make sure that we stay vigilant. we understand the ransomware risk, and we do things before it happens.

Todd Shryock 00:19:02 Very good. Thanks for joining me today. This was very insightful.

Ferhat Dikbiyik 00:19:06 it's very, I'm very pleased to be here. Thank you.

Keith Reynolds 00:19:19 Again. That was medical economics managing editor Todd Shryock. And Ferhat Dikbiyik, chief research and intelligence officer at the cybersecurity firm Black Kite. My name is Keith Reynolds, and on behalf of the whole medical economics and physicians practice teams, I'd like to thank you for listening and ask that you please subscribe on Apple Podcasts and Spotify. Also, if you'd like the best stories Medical Economics and Physicians Practice, Publish delivered straight to your email six days a week. Subscribe to our newsletter at Medical Economics and Physicians Practice. Oh, and one more thing. Be sure to check out Medical Economics Pulse, a quick hitting news podcast that offers concise updates on the most important developments affecting your practice, your bottom line, and the broader health care landscape delivered by the editorial team at Medical Economics.

Keith Reynolds 00:20:05 Off the chart, A Business of Medicine podcast is executive produced by Chris Messina and produced by Keith Reynolds and Austin Luttrell. Medical economics. Physicians Practice and Patient Care Online are all members of the life sciences family. Thank you.