Call Ransomware Attacks What They Are: Terrorism


February 12, 2024

World map

A ransomware attack has disrupted operations at nearly two-dozen hospitals in Romania by targeting the systems that hospitals use to manage patient data and scheduled procedures.

"During the night of 11-12 February 2024, a massive ransomware cyber-attack targeted the production servers running the HIS information system. As a result of the attack, the system is down, files and databases are encrypted," Bleeping Computer reports.

"The incident is under investigation by IT specialists, including cybersecurity experts from the National Cyber Security Directorate (DNSC), and the possibilities for recovery are being assessed. Exceptional precautionary measures have also been activated for the other hospitals not affected by the attack."

Takeaway: We need to call these attacks what they are: terrorism. Ransomware attacks on healthcare providers are not simply IT downtime events, they are calculated to inflict fear and the very real risk of harm or even death.

How can we continue to treat these attacks as being on-par with an attack on a retail outlet where no lives are at stake? There is no doubt that ransomware attacks on healthcare providers should be considered cyberterrorist attacks.

It’s inconceivable that any attacks that are putting human lives at risk – whether it be via cyber or physical means – should be considered anything less than outright terrorism.  

And the nations who provide safe harbor – or are directly supporting and likely controlling these threat actors – should be considered state sponsors of terror.

There are different sets of rules depending on how an attack is classified. Ransomware attacks are still considered a criminal act, and as such it is the purview of law enforcement to investigate, bring charges, and prosecute the offenders.

But a good deal of today’s ransomware attacks have no doubt crossed the line from cybercriminal activity to a national security threat, especially when we are talking about attacks on critical infrastructure entities.

How ridiculous is our current position on these attacks? Well, we have what are most likely Russian-based ransomware threat actors who are aligned with Russian state intelligence attacking not just healthcare providers, but also contractors for U.S. Department of Defense.

Yet, the DoD is waiting for civilian law enforcement to come to their rescue?

“The Department of Defense office responsible for background investigations is working with law enforcement to examine claims by a prolific ransomware group that they have stolen documents containing sensitive data related to the U.S. military,” CyberScoop reported just a few days ago.

And while law enforcement has made a handful of arrests over the years, they have done nothing to stem the time of ransomware attacks – in fact records are being broken across the board: there are more attacks than ever, and the cost of recovering from them keeps growing.

And the number of organizations paying a ransom demand continues to grow as well, with payments to ransomware operators in 2023 exceeding $1 billion, breaking all previous estimations.

Ransomware operators are flush with cash, and they are re-investing a good deal of it for improving their attack infrastructure, infection vectors, security bypass capabilities, and malicious payloads.

The overlap of cybercriminal activity with nation-state-supported operations conveniently allows for plausible deniability by the aggressor nation, and they are leveraging ransomware gangs or other seemingly independent threat actors as proxies to conduct the attacks that are part of a larger geopolitical strategy.

Ultimately, it's these adversarial governments that are facilitating ransomware attacks with impunity, and until the U.S. government and our allies reclassify some of these attacks as state-sponsored terrorism and directly sanction rogue regimes, we will not see this spate of ransomware attacks abate any time soon.

Lives are at risk, as is our national security. We need more tools to address this scourge of ransomware attacks.

In the 2004 National Military Strategy, cyberspace was designated as a “domain of conflict alongside the air, land, sea, and space domains,” and noted that the DoD will “maintain its ability to defend against and to engage enemy actors in this new domain.”

We have this muscle. It’s time to flex it. is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.