New ransomware is bad news for healthcare organizations


CryptXXX Ransomware provides the scenario we feared most.  Not only does CryptXXX encrypt a victims files, but it also copies data off of the victim's computer.  This can be consideered unauthorized access, and needs to be reported as a Data Breach.  The following article is written by Art Gross, our partner at HIPAA Secure Now. Read his article to learn more about this very dangerous new ransomware, and what you can do to prevent it.

New ransomware is bad news for healthcare organizations

Well that didn’t take long. In a recent article I made the case that newer variations of ransomware could result in a reportable HIPAA breach.  I argued that if ransomware not only encrypted the victim’s files but also copied the files off of a computer or allowed access to the files, then the result could be a reportable breach.

CryptXXX Ransomware

A relatively new variation of ransomware called CryptXXX has been identified. Like older variations, the malware encrypts a victims files and demands a ransom to release the files. The ransom averages about $500.

But this variation not only encrypts the files, it also copies data off of the victim’s computer.  According to an article over at Enigma Software, an anti-malware vendor, CryptXXX ransomware collects or copies information:

The CryptXXX Ransomware can collect files, passwords, and other data, focusing on login credentials from the victim’s instant messenger applications, email clients, FTP programs, and Internet browsers particularly. The CryptXXX Ransomware also may collect BitCoin wallet credentials according to reports from PC security researchers.

As I argued in the previous article:

But as I mentioned, more sophisticated ransomware is starting to show up. And as ransomware evolves and starts copying data off of servers or desktops and/or starts loading other malware that may capture keystrokes or allow access to a system by a third party, breach determination is not so cut and dry.

To determine if a ransomware attack would result in a reportable breach, we can use the same methodology that we used to determine if a stolen or lost laptop would result in a reportable breach. Can forensics help determine if the ransomware allowed a third party access to the organization’s network? Did the third party view or access PHI? Did the ransomware copy PHI off of the organization’s network? Which PHI was copied?

Most Sophisticated Variants Coming

While CryptXXX may be one of the first ransomware variants to copy data off of a victim’s computer it probably will not be the last. Stealing passwords and BitCoin wallet credentials make an even more powerful tool than just encrypting a victim’s data. Criminals will soon realize that with relatively simple searches they can find and copy social security numbers, credit cards, bank account information, driver’s licenses, etc. These modern day cybercriminals are showing that they are quick to evolve and while you are holding the victim’s data hostage, you might as well walk around the house or office and steal other valuable information.

Impact on Healthcare

This latest development is not good news for healthcare organizations. Ransomware itself is a dangerous threat but ransomware that steals information is even more of a threat because it could lead to a HIPAA reportable breach. Healthcare organizations face reputation damage by having to report a ransomware breach to patients and exposes the organization to an investigation by the Office of Civil Rights (OCR).


Art Gross is President and CEO of HIPAA Secure Now, our partner in providing HIPAA Risk Analysis services for our customers.  For information on conducting a thorough and accurate Security Risk Analysis for your healthcare organization, contact IntelliSuite today at 877-843-5767 or contact us online at

To learn about our HIPAA Security Risk Analysis services, visit our website at

Art Gross

Written by Art Gross