Facing the Health Ransomware Threat – Q&A with Kellyn Wagner Ramsdell

Kellyn Wagner Ramsdell is a Senior Cyber Threat Intelligence Analyst at MITRE. She began her career in local government combining intelligence analysis and incident response, often in response to ransomware attacks.


Why should health organizations be concerned about ransomware?

In the first five months of 2021, the Department of Health and Human Services (HHS) identified 48 ransomware infections impacted healthcare organizations in the United States. For healthcare victims of ransomware infections, Sophos states the average cost in 2020 often exceeded $1.27 million and continued long after the infection was resolved. Many healthcare victims of ransomware face long-term recovery costs, including costs to rebuild networks and lawsuits from patients.

Ransomware started impacting patient care in 2015 and healthcare remains a profitable sector for ransomware operators. As these groups professionalized, they have been further able to monetize attacks against healthcare providers. Since 2019, some ransomware operators have been stealing data before encrypting it, and then demanding a ransom to prevent the public release of that data. This double extortion tactic has proven to be especially damaging to healthcare organizations. As these groups continue to look at opportunities to monetize their operations, healthcare organizations will remain a prime target. Those interested in learning more about how the groups have evolved can read our latest resource, “The Evolution of Ransomware.”

How can organizations prepare for a ransomware attack?

Review the Ransomware Resource Center for key resources to help understand and prepare for potential threats. The best defense against ransomware is secure networks and systems. The Designing Defenses section of this site provides resources specific to ransomware defense.

The next steps are to build robust detections that allow defenders to identify adversary activity in their environment. Information on writing and implementing these detections is available on the Cyber Analytics Repository page.

Having a well-developed and well-exercised response plan is the best way to mitigate the impact of a ransomware attack. Many of the resources for building an incident response plan are available on the Incident Preparedness and Response page. For a plan to be useful in an attack, it needs to be exercised. Organizations can review guidance for tabletop exercises on the Cyber Tabletop Exercises page.

The steps above are just initial starting points for an organization looking to defend itself from ransomware. There are abundant resources on this site which provide guidance on many aspects of ransomware prevention and response.

How is MITRE helping defenders understand and protect against ransomware?

MITRE specializes in bringing together diverse perspectives to solve problems. In the case of ransomware, MITRE views it from the lens of responder, malware analysis, defensive cyber operations, cyber threat intelligence, risk management, and many others.

We’re applying these perspectives as we work to develop resources and solutions to tackle the ransomware challenge. Many of these resources are available in this Ransomware Resource Center.

MITRE also develops and maintains MITRE ATT&CK®, a knowledge base that describes cyber adversary behavior. Through the framework, MITRE has been tracking and publishing details on various ransomware groups and their common tactics, techniques, and procedures. Learning about specific adversary actions gives defenders concrete strategies to defend against and to disrupt ransomware operators.

Our latest resource ”The Evolution of Ransomware” outlines the history of ransomware and the threat it poses against health organizations.


Approved for Public Release; Distribution Unlimited. Public Release Case Number 21-3419
©2021 The MITRE Corporation. ALL RIGHTS RESERVED

Pin It on Pinterest

Share This