The Tsurugi Municipal Handa Hospital is a modestly sized, dreary pile in a somnolent corner of Shikoku island. It looks on to a river, backs on to a hill and serves an ageing local population last clocked at 8,048.
The perfect place, therefore, for the world’s most ruthless cyber-gangs to expand their assault on everyday life, shift the globalised ransomware war front deep into Asia and confront a whole new victim-scape with one of the more excruciating debates of modern business.
At this point the Handa hospital is just about back to normal, barring apologies and incident reports. But for two months at the end of last year, it was paralysed — unable to accept new patients and perform other basic functions after a ransomware attack targeting the extortionists’ sweet spot of medical records.
The assault on a stretched rural Japanese hospital during a pandemic would, under any circumstances, offer a chilling reminder of how unrepentant ransomware gangs are in pursuit of a payday. As a decade of rapidly rising attacks has shown (reported incidents more than doubled in the UK between 2020 and 2021), no company or institution is off limits, no weakness unexploitable, no threatened collateral harm too pitiless.
The medical, educational, infrastructure, legal and financial industries are favourite targets precisely because the stakes are so high and the threats so agonising. They are also getting more sophisticated. The average time spent inside a company’s network before a ransom demand is made is rising. The additional time, say former GCHQ officials in bleak briefings on the issue, is spent honing the most acutely painful threat.
The scale of financial carnage, too, continues to surge. In its 2021 report, IBM Security calculated that, globally, the average cost of a ransomware breach had hit a record $4.62mn — a figure that did not even include the ransom payment, which some experts reckon are handed over in at least a third of cases.
But the Handa incident, say cyber-ransom negotiators at Nihon Cyber Defence (NCD) — an agency that advises the Japanese government and whose team includes the founding head of the UK’s National Cyber Security Centre — underscores an important trend. The most powerful criminal gangs — large, richly resourced and highly professionalised ransomware teams thought to operate chiefly out of Russia, Belarus and other parts of eastern Europe — now have Japan squarely in their sights as the next, most readily squeezable victim. Its defences and expectation of attack are generally low, and the readiness of Japanese companies and institutions to pay is, at this stage, high.
For some years the US and Europe have been the principal feeding grounds for ransomware attackers but, even as the gangs adopt new strategies and conceal their expansion via “affiliate” structures, business in those countries is becoming less attractive. As those markets have become saturated with criminal activity, the experience and resilience of victims have increased. The cost-reward ratio of each attack is that much smaller. New vulnerabilities created by Covid lockdowns and remote working provided a lucrative windfall, but those benefits are now tapering.
Conveniently for the gangs, there are fresh pastures in Asia that have so far been comparatively under-grazed and one of wealthy Japan’s strongest natural defences — its language — is quickly evaporating.
Ransomware attacks and system breaches depend on an initial point of access. This often relies on a person in a company or institution falling into some carefully laid trap. Once, the emails and other communications that built traps were in such clumsy Japanese that intended victims smelled a rat. Now, with the help of AI translation software, local criminal gangs and, say experts, professional translators who may not know how their work will be used, the bait is dangled in perilously plausible Japanese.
The effect, say NCD executives, has been a sharp increase in attacks both in Japan and on Japanese companies’ operations around the world. The number of reported incidents remains very low — just 146 in 2021 — but likely represents a fraction of the true figure.
Japan will therefore confront the grim risk-reward dilemma familiar to other parts of the world. Should companies and organisations pay the ransom? And, crucially, should governments broadly make it legal (as in the UK) or illegal (as in the US) for them to do so? As Japan will discover to its cost, the criminals’ capacity to up the ante of their threat is limited only by their desire for the whole incident to end with them getting paid.
What is not on the table, as Handa hospital and its patients have found, is the hope that obscurity, size and line of work are any protection at all.