The Hidden First Step in Healthcare Ransomware Attacks Revealed | 2 Minute Drill with Drex DeFord

Hey, everyone. I'm Drex, and this is the Two Minute Drill. It's great to see you today. Here's some stuff you might wanna know about. When healthcare executives think about ransomware, they tend to picture the group that locked up the system, the attackers who show up with the malware and then the demand. But the people who lock your systems are often not the people who first got into your network, and that's what Aleksey Volkov's story is about. Volkov was twenty-six from St. Petersburg, Florida. Online, he went by ChewbaccaCore. His role in the criminal economy was specific. He found doors. He was a specialist. Think of him as a really good subcontractor who sold his skills to anyone, and again, he was really good at what he did. He ran the access side of the operation. He'd identify vulnerable companies and exploit their network and establish a foothold, and then he'd list what he had on dark web forums. Ransomware operators could buy that access outright, or they could pay Volkov a percentage of whatever ransom they eventually collected. The dark web listings were remarkably mundane in their presentation. A network, an industry, an entry point, a price. It functioned with the same basic mechanics as any marketplace because that's what it was. I've talked about this before, but on these dark web marketplaces, buyers can rate sellers. There are dispute mechanisms. Think of them as arbitration courts. Volkov operated inside an industrial criminal supply chain where everyone had a specialty, and his was finding the way in. Over a sixteen-month period between '21 and '22, his access sales enabled attacks on seven confirmed US businesses. An engineering firm, a bank, there were others. The confirmed losses came to nine million dollars. The intended ransom demands totaled twenty-four million dollars, and two victims paid. And the victims didn't just have their systems encrypted. They got harassing phone calls, DDoS attacks. Their stolen data was published publicly to increase pressure, all delivered by ransomware operators who paid Volkov for the initial access. He gave them the key to those companies' network door. Federal investigators caught up to him in Rome. He was extradited to the US. He pled guilty, and in March 2026, he was sentenced to eighty-one months in federal prison with a nine point one million dollar fine for restitution. In his plea, he admitted to enabling ransomware attacks on critical infrastructure, attacks with, in the words of the court, life or death consequences. For healthcare, here's why I'm telling you this story. Initial access brokers, that's what Aleksey was. They're actively listing healthcare targets. Healthcare orgs run legacy systems with known vulnerabilities and large numbers of vendors and contractors all have network access. The data is valuable. The disruption of an attack is enormous, and the security investments relative to the risk is often thin, and all that makes healthcare a premium listing on those dark web marketplaces. So unfortunately, someone may already have found a door into your network, and they may have not used it yet. They may be holding it, or it may have already been sold to someone who's waiting for the right moment to drop that ransomware. That's how the market works. Stopping a ransomware gang when they arrive is one problem. Knowing whether someone has already been paid to find a way in and whether or not you'd even know about that, that's a different problem. That's it for today's Two Minute Drill. I'd love to hear from you. Leave a comment, DM me, or send me a note. I'm drex@229project.com. Thanks for being here. Stay a little paranoid. I'll see you around campus