Covering COVID-19 is a daily Poynter briefing of story ideas about the coronavirus and other timely topics for journalists, written by senior faculty Al Tompkins. Sign up here to have it delivered to your inbox every weekday morning.

Good for the Justice Department’s ransomware task force for recovering some of the $4 million that Colonial Pipeline paid hackers who shut down gasoline distribution to the East Coast last month.

Not only did the feds recapture a couple of million dollars in cryptocurrency paid to Russian hackers, they also identified the hackers.

ZDNet reported this week:

• The cost of ransomware incidents worldwide is expected to spiral out of control, exceeding $265 billion by 2031.
• Cybersecurity Ventures predicts that the damage caused by ransomware could cost the worldwide stage $265 billion by 2031, based on this type of cybercrime attacking both enterprises and consumers at a rate of one attack every few seconds.
• Currently, the cybersecurity agency estimates that ransomware will cost us approximately $20 billion this year, a 57x jump from 2015.

Ransomware attacks have hit local governments, police departments, hospitals, schools and even U.S. military facilities. Bloomberg gives us new insight into just how fragile our own online systems may be, reporting, “The hack that took down the largest fuel pipeline in the U.S. and led to shortages across the East Coast was the result of a single compromised password, according to a cybersecurity consultant who responded to the attack.”

(The Institute for Security and Technology)

Cybersecurity is not just a story for big media organizations. It is as local as the schools, governments and businesses in your community. It is as local as the system you are using to read this sentence.

A federal ransomware task force issued a report in April and even that report was split on whether it should be illegal to pay hackers a ransom.   At a minimum, the task force said, any entity that pays a ransom should have to report it to the federal government, since such payments typically go to some sort of organized crime. The task force said:

In 2020, 560 healthcare facilities were hit by ransomware attacks in the U.S. alone. These incidents not only cost the victims millions of dollars in recovery, but they also have led to delays in patient treatment, and possibly loss of life. In September 2020, a ransomware attack led to the failure of computer systems at Duesseldorf University Clinic, requiring critically ill patients to be relocated to other facilities, and in the United States, an attack caused delays in treatment for cancer patients at the University of Vermont Medical Care and other facilities.

In May 2019, a ransomware attack on the City of Baltimore took critical services offline. The city refused to pay the ransom, but the recovery lasted several weeks and cost $18.2 million to restore systems back to their original state. Beyond the financial burden on taxpayers and the shutdown of services, the city’s inhabitants were no longer able to pay water bills, property taxes, or parking fines. Some residents who could not pay their bills saw their homes go into foreclosure. Databases tracking street drugs were knocked offline, people were unable to pay water bills and home sales were delayed. The city’s 911 dispatch system was knocked offline, and emergency calls made during that time were not recorded. The criminals threatened to publicly release data stolen during the attack to exert pressure on city officials to pay, in an early example of the “double extortion” tactic that has since become prevalent.

The task force found:

(The Institute for Security and Technology)

Rigzone, a website that covers the oil drilling industry, reports:

A 2020 survey of senior IT and security decision makers by the cybersecurity firm CrowdStrike Holdings Inc. said 27% of those surveyed paid the ransom, and the average payment was $1.1 million. In March, the cyber firm Kaspersky said 56% of victims paid the hackers.

A ransomware task force, in a report prepared by the Institute for Security and Technology, said ransomware victims paid $350 million in 2020, a 311% increase over the prior year, and it listed the average payment in 2020 as $312,493.

I have seen some reporting about whether insurers should be allowed to cover ransomware losses because it might encourage businesses not to be as vigilant as they should be.

Two phrases to learn when covering the ransomware story: chainhopping and mixing services

The federal task force that investigates ransomware explained why hackers so often use cryptocurrency:

Ransomware criminals typically demand that victims send their ransom payments via Bitcoin, but after receiving the payment in a designated digital “wallet” (software that stores public and private keys), the criminals typically obfuscate these funds as quickly as possible to avoid detection and tracking.

Their methods include “chainhopping,” which involves exchanging funds in one cryptocurrency for another using any of a variety of cryptocurrency exchanges. The funds can be extremely difficult to trace after they have been exchanged, and to further shield themselves, ransomware actors may use money-mule service providers to set up accounts, or use accounts with false or stolen credentials.

Ransomware criminals can also obscure their transactions through cryptocurrency “mixing services,” which muddy the public ledger by mixing in legitimate traffic with illicit ransomware funds. Some groups will also demand payments in currencies known as “privacy coins,” such as Monero, that are designed for privacy and make payments untraceable.

However, privacy coins have not been adopted as widely as might be expected because they are not as liquid as Bitcoin and other cryptocurrencies, and due in part to regulation, this payment method may become increasingly impractical.

The federal task force said while high-stakes hacking is increasing and is increasingly disruptive, hackers have found homes in safe-haven countries that do not do much to stop them. And, the report says, a relative few hackers do most of the damage.

(The Institute for Security and Technology)

The task force says governments should fund whistleblower campaigns that pay for information about hackers. And, the report says, the federal government should build a fund to help local governments pay the cost of repairing a hacked system if no ransom is paid.

Who covers cybercrime?

Onalytica, a website that publishes lists of top influencers in various fields, came up with who it considers to be some of the top journalists covering cybercrime. At least it will get you started if you are new to this beat:

• Chris Bing, Cybersecurity Reporter at Reuters. Follow on Twitter @Bing_Chris or view his LinkedIn profile.
• Jeff Elder, Cybersecurity Reporter at Business Insider. Follow on Twitter @JeffElder or view his LinkedIn profile.
• Kelly Jackson Higgins, Executive Editor at Dark Reading. Follow on Twitter @KJHiggins or view her LinkedIn profile.
• Brian Krebs, Investigative Reporter & Publisher at KrebsOnSecurity.com. Follow on Twitter @BrianKrebs or view his LinkedIn profile.
• Mohit Kumar, Founder & Editor-in-Chief at The Hacker News. Follow on Twitter @Unix_Root or view his LinkedIn profile.
• Steve Morgan, Founder & Editor-in-Chief at Cybercrime Magazine. Follow on Twitter @CybersecuritySF or view his LinkedIn profile.
• Kim Nash, Deputy Editor of The Wall Street Journal’s Pro Cybersecurity Newsletter. Follow on Twitter @KNash99 or view her LinkedIn profile.
• Nicole Perlroth, Cybersecurity Reporter at The New York Times. Follow on Twitter @NicolePerlroth or view her LinkedIn profile.
• Joe Uchill, Senior Reporter at SC Magazine. Follow on Twitter @JoeUchill or view his LinkedIn profile.
• Kim Zetter, Investigative Journalist & Author of Countdown to Zero Day. Follow on Twitter @KimZetter or view her LinkedIn profile.

In addition to journalists, Who’s Who In Cybersecurity covers professional influencers and amplifiers, brand employees and industry practitioners, event speakers, analysts, experts by category, and companies. Go here to download the full report.

And here is a quick list of some big company experts who talk a lot about cybersecurity:

(Onalytica)

(Onalytica)

You can also go here to find a deep list of experts on security, threat protection and more. They are people who speak about these issues and their companies put them out there to help you to educate the public.

I have become a reader of Cybercrime Magazine, which has some really front-edge reporting on why some insurance companies are getting out of the business of insuring cybercrime losses.

FDA approves Alzheimer treatment drug despite controversy

Dr. William Burke goes over PET brain scan Tuesday, Aug. 14, 2018 at Banner Alzheimers Institute in Phoenix. (AP Photo/Matt York)

As I alerted you a week ago, the Food and Drug Administration approved the first drug to slow cognitive decline in the early stages of Alzheimer’s.

The drug is expensive and controversial. Critics have said for more than a year that there is not enough proof that the drug, aducanumab, works. The FDA, while approving the drug, also directed Biogen, the company that makes it, to keep testing it while it is being used by patients outside drug trials.

The brand name for the drug is Aduhelm. While it is not a cure for Alzheimer’s, supporters say it may slow the progression of the disease.

StatNews reports:

Biogen said the yearly cost for a maintenance dose of Aduhelm, based on an average patient’s weight, would be $56,000. That’s a list price, not the net price or the price paid by patients with insurance. The out-of-pocket cost for patients with insurance will vary depending on their coverage. Analysts had expect(ed) it to cost between $10,000 and $25,000 per year, which would have already placed it among the most expensive medicines marketed to primary care physicians.

The treatment, administered intravenously once a month, is approved for all patients with Alzheimer’s disease. Clinical trials tested it only in patients with early-stage Alzheimer’s who have had a PET scan confirming the presence of amyloid in their brains.

Biogen says it will promise not to increase the price of the drug for “the next four years.” Make no mistake, this could be hugely important to Biogen.  About 6.2 million Americans have Alzheimer’s, a number projected to more than double by 2050. StatNews says that Dr. Brian Abrahams, an analyst at RBC Capital, models peak sales of the drug reaching $5 billion in the U.S. at a slightly lower $9,600 per year cost. Abrahams assumes 18% of patients with mild or moderate Alzheimer’s will receive Aduhelm.

The big difference between Biogen’s drug and others is that it is stronger and focuses on a different patient group than other drugs. The Biogen drug is for people with mild memory loss and for people who are early in their diagnosis. Previous studies were mostly aimed at people who may have suffered too much loss of brain function for the drugs to help.

When the FDA asked outside experts to look at Biogen’s drug trial data, 10 of the 11 experts said the drug needed more study and even the 11th expert was unsure of the drug’s usefulness.

Public Citizen, a consumer advocacy group, said the approval shows the FDA and Biogen were too close. The group said, “The FDA’s decision shows a stunning disregard for science and eviscerates the agency’s standards for approving new drugs. Because of this reckless action, the agency’s credibility has been irreparably damaged.”

Alzheimer’s support groups celebrated the FDA’s decision. The group Us Against Alzheimer’s points out that this is the first major pharmacological breakthrough for Alzheimer’s patients in more than 17 years and that “no other major disease of Alzheimer’s scale and mortality has gone that long without incremental therapeutic relief.” But even with FDA approval, this drug, which is delivered intravenously, will not be for everybody. Us Against Alzheimer’s said in a statement after the FDA vote:

By delaying the progression for people in the early stages of the disease, this drug therapy promises to give people more time to live independently and perform daily activities longer.

We believe that FDA’s approval of aducanumab will have a positive ripple effect on pharmaceutical innovation far beyond this one drug. To get to the best-in-class drug — and ultimately a cure — there must be a first-in-class drug such as aducanumab. This approval will spark additional investment by other companies in disease-modifying treatments and therapies. With approval of this first drug, drugs 2, 3, 4 will follow, and at a faster pace.

We are very concerned about the ability of patients to gain access to aducanumab, particularly those on Medicare fee-for-service without supplemental insurance. And, shockingly, Medicare does not reimburse patients for the expensive PET scans important to determine whether someone is appropriate for this drug. We intend to work with Biogen and Medicare to make access to this drug affordable for every American who needs it.

We’ll be back tomorrow with a new edition of Covering COVID-19. Are you subscribed? Sign up here to get it delivered right to your inbox.