“Excuse me, ma’am, I think you dropped these.”

You turn to see a polite, clean-cut guy walking up behind you with a set of keys in his outstretched hand. When you tell him that, no, those are not your keys, he replies, “Oh, sorry. Is there a lost-and-found or someplace where I can drop them off? I’m pretty new here.” As you give him directions to the information desk, you also conduct a quick size-up: He’s dressed professionally, with a hospital ID lanyard around his neck leading to the identification card that’s tucked in his front shirt pocket. But you’re really looking at his shirt sleeve – that’s where most of the people who work at this hospital affix the little sticker that says they’ve had their temperature taken. He’s got one, so you both enter and go your separate ways.

The polite, clean-cut guy is me. I’m a cybercriminal, and I know if I make a connection with you, you’ll tell me what I need to know. The lanyard around my neck? I ordered quite a few over the Internet. The little adhesive stickers that “prove” I’ve been screened? Those are less than $10 at an office supply store and a few minutes with my desktop printer. The ID card (that I keep tucked in my shirt pocket) is also a pretty close replica. Will it stand up to close scrutiny? No, but you’re not going to ask to look at it – nor is anyone else in this hospital – because I’ve already directed your attention where I want it. I want you to believe I legitimately belong here. Even the mask I’m putting on my face as we walk through the doors has the hospital logo on it, just like yours. How do I know what those items look like? To quote President Joe Biden, “C’mon, man.”

You head off to your office once we’re inside, and I’ll watch you long enough to get some idea of where you work, but I also want to make sure I go the other way. I don’t really work here, remember?

Over the next few months, you and I will run into each other now and then; maybe in the parking lot or the hospital cafeteria, but always in a place open to the public and always in passing. I’ll nod and smile, maybe give you a little wave, but that’s it. I won’t approach you or try to engage you in conversation. I won’t ask you out for coffee. I won’t inquire about your family. I certainly won’t ask what you do for the hospital, because you might ask me the same thing. Again, I don’t really work here. I’ll be completely non-threatening. Yet because others will observe our interactions, they will believe I belong. I know you, so I must be OK.

Cybercriminals possess patience in abundance. I’ll blend into the background. If I ever suspect that I don’t, I’ll be gone. No one will miss me because I never really worked here in the first place.

While you and your colleagues continue to go to work every day, so do I. I scan social media for groups related to this hospital and see what people are saying about a wide range of topics. When I’m actually in the hospital, I listen. I listen in the hallways, the cafeteria, and the waiting rooms. People say the most amazing, interesting things when they think no one is listening. They talk a lot when they think those who are listening share their beliefs. At this particular hospital, the topic is money – as in who’s making a lot of it and who isn’t. Perfect.

From the comfort of my own home, I’ll create a few social media profiles. None of them are really me, of course, and eventually they’ll be discovered and discontinued by the platforms I’m using. By that time, I will have accomplished my goal of creating and promulgating discontent:

  • “Isn’t it a shame how much more money executives make than everyone else?”
  • “Shouldn’t the people who actually care for patients be the priority?”
  • “After all this COVID-19 stuff, shouldn’t the cleaning staff be paid better?”
  • “We’re called essential workers, but we’re paid like we’re disposable.”

You get the idea.

For every fake profile taken down I can create a new one. I have plenty of time, plenty of resources, and plenty of patience. I’ll even stop by the hospital now and then just to gauge the mood.

Then there is the artificial intelligence (AI) component. When I’m in the hospital, my phone is on and listening. Actually, both my phones are on and listening – lots of people have two cellphones these days. The “person” on the other end of the call is an AI entity that will create social media content on its own social media profile based on what it “hears.” For a cybercriminal like me, this type of “everyman’s AI” is a force multiplier. I let it listen in when I’m at the hospital, and it creates content based on the actual conversations being carried on by unsuspecting employees. It even “likes” and replies to some comments and carries on exchanges with other similar AI entities. How much more credible are those posts when the people who see them also know the (real) people who were actually involved in the original conversations?

I’ve also been doing a little footwork in addition to my online activities. After checking the social media profiles of the senior-most hospital administrators, it was really easy to watch for them as they drove into the parking lot. They are not my “targets,” at least not in the physical sense. I want the make and model of the cars they drive. Now that I know what the hospital administrator or CEO drives, I’ll create a catchy hashtag like #hospitalbossdrivesabenz. While that spreads, I’ll get a few sets of random keys and put a key FOB on each ring with that vehicle’s logo on it. On those same sets of keys, I’ll also put a flash drive with the hospital logo on it and the word “budget” or “payroll” or “staff reduction.” I have one of those new desk-top laser engravers at home, so placing a car logo on a key FOB or putting the hospital’s logo on a flash drive doesn’t take long at all. Both will look legitimate, I assure you.

Installed on those flash drives is a zero-day ransomware payload designed to spread laterally throughout the hospital computer system. It’s artificially intelligent. It learns where it’s allowed to go within the network while simultaneously learning both how to evade detection and how to penetrate protected systems.

Here’s a tip: those systems are not as protected as most believe them to be. The term “zero-day” refers to a payload which is newly developed and has not previously been seen or exposed to many networks. Most systems won’t recognize ransomware as a threat.

It costs me quite a bit of money, but that’s OK. I’m confident in the return on my investment. I’ve done this before, and your hospital is not the only organization I have targeted. Cybercriminals are great multi-taskers.

Mind you, it helps that ransomware has become a commodity. One of the best things about being a cybercriminal is that I no longer need to be an IT expert. I just need to know where to purchase the ransomware or malware.

Cybercriminals like me also need to know how to manipulate someone into using it. That process is much easier, quicker, and cheaper than becoming a computer expert. I’ve been incrementally manipulating the people at this hospital for months. I’ve blended into the background, so I have access to first-hand information. I’ve implemented social media campaigns designed to reinforce and amplify the feelings of income inequality and disenfranchisement within the work force. I’ve augmented those campaigns through artificial intelligence. I’ve verified through both social media and in person that my efforts have succeeded.

It’s time to find out if I’m as good at this as I think I am.

I can do the “lost keys” routine again with another employee a few months later. I can cut or dye my hair. I can grow facial hair. I can even put on a few pounds. The hospital employee I first approached would even have difficulty recognizing me, and that’s my goal. I’ve been doing this for a while, and I try not to leave anything to chance.

I did not have this second interaction by chance. I know the man I approached – not personally, of course, but I’ve been following his social media – and I know he’s not happy about his income compared to that of other hospital employees. It’s not guaranteed, but from what I’ve seen and heard I believe he’s going to sit down at his desk and plug in that flash drive. He’s not my only option, however. I’ve also “accidentally” left a similar set of bait keys in one of the employee restrooms. I’ll come back later to drop yet another set in the parking garage. Why later? It’s only fair I give the night shift a chance too.

It won’t take long for the ransomware payload to do its thing. When it does, I’ll get the return on my investment I alluded to earlier.

The hospital will pay the ransom. (They’re insured.) When they do, they’ll get their data back.

After all, organizations would stop paying ransoms if word got out they were paying but not having the access to their systems restored. When the story hits the media – “Local Hospital Pays Thousands to Recover Files in Ransomware Attack” – the hospital will talk about the complex, highly advanced payload that affected them.

The payload itself might have been highly advanced, but the delivery method was decidedly basic.

My particular “business model” dictates I move on to another target, but that does not mean I won’t try to get the most out of my efforts. While I had unrestricted access to hospital records, I made a copy. In a few weeks or months, I’ll reach out to the same hospital and threaten to expose those records unless I get paid another ransom. I’ll send along a few sample reports to prove I really do have them. A few months later, I can activate my sleeper malware and take the hospital website offline for 10-15 minutes. This, of course, will be accompanied by yet another ransom demand – payable immediately – or I’ll take the site down permanently.

To paraphrase a famous line from the movie “The Terminator,” (computers) “can’t be bargained with, they can’t be reasoned with.”

Computers will do only what we program them to do. People, on the other hand, are comparatively malleable.

Look at that! I made a connection with you, and you did what I wanted you to do. I did not need to be a computer expert. I didn’t need advanced information technology training. I didn’t need to know how to write code or develop software. All I needed was you.


Jim Sharp

Jim Sharp, MPCP, MoCEM, is the emergency management director for Warren County. Sharp is a 20-year veteran of the emergency management profession with FEMA certification as a Master Professional Continuity Practitioner and a Level 1 Certified Emergency Manager designation through the Missouri Emergency Management Association. He serves as a member of the Region C Incident Support Team, the U.S. Secret Service Gateway Cyber Fraud Task Force, and as an intelligence liaison officer with the Missouri Information Analysis Center. Sharp is also a qualified instructor for incident command system, National Incident Management System, and emergency operations center courses. He remains a highly sought trainer and speaker.

The Intersection of Sustainability and Risk Management
A company that aligns its financial goals with its environmental efforts can enjoy long-lasting benefits. It can generate profits and...
Resilience During a Recession
With a Global Downturn Looming, Companies Must Rethink ‘Ready’ Given recent data, a recession in the US seems increasingly likely....
Reset and Recover: Navigating the Road to Resilience
Subscribe to the Business Resilience DECODED podcast – from DRJ and Asfalis Advisors – on your favorite podcast app. New...
Navigating the Difficulties of Being Online as a Small Business
Launching a successful small business has never been easy. However, in today’s increasingly competitive global marketplace, the challenges aspiring entrepreneurs...