The healthcare industry should be expecting a wave of aggressive ransomware in the coming days as many of the largest healthcare providers have already been hit, causing massive damage. Here are some tips Healthcare providers can use to prepare.
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) recently shared a Joint Cybersecurity Advisory to warn that they had “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.”
Based on the advisory, the healthcare industry needs to ensure that they take timely and reasonable precautions to protect their networks from these threats.
Current Ransomware in Healthcare Threats
At least five hospitals were hit with the ransomware attacks this week, the federal agencies said. Ransomware attempts jumped 50% in the last three months, over the first half of 2020, and hospitals and health care organizations were the hardest hit, according to a study earlier this year by Check Point research.
A total of 59 U.S. health care providers or systems have been impacted by ransomware in 2020, disrupting patient care at up to 510 facilities, according to APNews.
Typical attacks demand several hundred thousand dollars, and some have demanded $5 million or more, the research group concluded. Hospitals are often targeted because criminals know they are more likely to pay than other businesses. That’s because hospitals can’t shut down for long without impacting patient care.
In June, the University of California San Francisco disclosed that it paid $1.14 million to ransomware attackers. In Germany, a woman died when a hospital under a ransomware attack couldn’t admit her. Universal Health Services, one of the nation’s largest health providers, was struck last week. Source
The advisory listed more information about the strands of ransomware:
Trickbot
The cybercriminal enterprise behind TrickBot, which is likely also the creator of BazarLoader malware, has continued to develop new functionality and tools, increasing the ease, speed, and profitability of victimization. These threat actors increasingly use loaders—like TrickBot and BazarLoader (or BazarBackdoor)—as part of their malicious cyber campaigns. Cybercriminals disseminate TrickBot and BazarLoader via phishing campaigns that contain either links to malicious websites that host the malware or attachments with the malware. Loaders start the infection chain by distributing the payload; they deploy and execute the backdoor from the C2 server and install it on the victim’s machine.
What began as a banking trojan and descendant of Dyre malware, TrickBot now provides its operators with a full suite of tools to conduct a myriad of illegal cyber activities. These activities include credential harvesting, mail exfiltration, crypto mining, point-of-sale data exfiltration, and the deployment of ransomware, such as Ryuk and Conti.
BazarLoader/BazarBackdoor
Beginning in approximately early 2020, actors believed to be associated with Trickbot began using BazarLoader and BazarBackdoor to infect victim networks. The loader and backdoor work closely together to achieve infection and communicate with the same C2 infrastructure. Campaigns using Bazar represent a new technique for cybercriminals to infect and monetize networks and have increasingly led to the deployment of ransomware, including Ryuk. BazarLoader has become one of the most commonly used vectors for ransomware deployment.
In addition to TrickBot and BazarLoader, threat actors are using malware, such as KEGTAP, BEERBOT, SINGLEMALT, and others as they continue to change tactics, techniques, and procedures in their highly dynamic campaign.
Ryuk Ransomware
Typically Ryuk has been deployed as a payload from banking Trojans such as TrickBot.2 Ryuk first appeared in August 2018 as a derivative of Hermes 2.1 ransomware, which first emerged in late 2017 and was available for sale on the open market as of August 2018. Ryuk still retains some aspects of the Hermes code. For example, all of the files encrypted by Ryuk contain the HERMES tag but, in some infections, the files have .ryk added to the filename, while others do not. In other parts of the ransomware code, Ryuk has removed or replaced features of Hermes, such as the restriction against targeting specific Eurasia-based systems.
Find out more about the origins of Ryuk here.
Why Do Criminals Target Hospitals with Ransomware?
The main reason for any ransomware is profit. Criminals make money either through organizations paying the ransom, selling the stolen data on the dark web, or using the credentials to pilfer money. The reason criminals target hospitals is because of the massive amounts of personal data taken in by hospitals.
Most ransomware victims noted the loss of patient names, addresses, telephone numbers, email addresses, dates of birth, IP addresses, marital status, race, provider information, patient Social Security numbers, health insurance numbers, and mental or health condition or treatment information.
The aggressive offensive by a Russian-speaking criminal gang coincides with the U.S. presidential election, though there was no immediate indication it was motivated by anything but profit.
FBI Recommendations for the Healthcare Industry
- Check for Known Vulnerabilities
- Patch Your Systems on a Regular Basis
- Use Password Best Practices
- Use Multi-Factor Authentication
- Manage User Privileges
- Monitor and Audit logs for Suspicious Activity
- Identify Critical Assets and create Backups
- Update AntiVirus or AntiMalware
In addition to the best practices listed by the FBI, Cybriant recommends putting your organization on the offensive.
With a Managed Detection and Response (MDR) service, healthcare organizations are able to protect their endpoints on a 24/7 basis. Endpoints are typically the weakest link in any organization. Our expert security analysts monitor and record all the events that occur on your endpoints. Our team focuses on relevant threats that attempt data exfiltration or modification.
When files attempt to execute these suspicious processes, an alert is triggered, and the attack is halted in real-time. When a credible threat is detected, our system will retrieve the process history, and our team will analyze the chain of events in real-time and determine the validity of the threat.
