In the third quarter of 2020, an alert was released for the healthcare and public health sector in the aftermath of a spike in ransomware activity being identified.
The joint CISA, FBI, and HHS cybersecurity advisory group informed the healthcare sector that it was being focused on by hackers hoping to infiltrate their databases with ransomware. A number of ransomware collectives had increased attacks on the healthcare and public health sector, with the Ryuk and Conti operations the busiest of these.
A new study from Check Point suggests that attacks continued to rise during November and December 2020, when there was a 45% increase in cyber-attacks on healthcare organizations worldwide. The growth was more than twice the percentage increase in attacks on all industry sectors globally over the same period of time, including an average of 626 cyberattacks on healthcare bodies every week in November and December, as opposed to 430 attacks during October.
The vectors employed in the attacks have been varied, with Check Point experts spotting growth in ransomware, botnet, remote code execution, and DDoS attacks in November and December; however, ransomware attacks showed the largest percentage growth and ransomware is still the most serious malware threat.
Conti ransomware is still a threat and has been deployed in many healthcare sector ransomware attacks, although Ryuk remains the most commonly used ransomware strain, followed by Sodinokibi. The biggest rise in attacks was in Central Europe, which showed a 145% spike in attacks, followed by East Asia (137%) and Latin America (112%). There was a 67% increase in campaigns across Europe and a 37% increase in North America. The country with the biggest increase was Canada, which saw attacks grew by 250%.
Ransomware attacks are conducted to make money. Ransomware can return a large payout quickly in the aftermath of an official attack after conducting an attack and ransoms are often paid to allow files to be restored or to prevent the release or sale of illegally obtained sensitive data. The healthcare industry is targeted because there is a higher chance that a ransom will be paid than attacks on other industry sectors. Healthcare groups need to retrieve access to patient data quickly to ensure care can be given to patients in need, especially at a time when there is tremendous pressure due to the number of new patients requiring medical attention for COVID-19.
While it is still commonplace for ransomware to be shared using spam email and exploit kits, the attacks on the healthcare industry have been highly targeted, with the main ransomware strains used in the attacks delivered manually. Initial access to healthcare networks is obtained using a range of different of methods. Many ransomware begins with phishing emails that deliver Trojans such as Emotet, TrickBot, and Dridex. Check Point advises security experts to search for these Trojans on the network, along with Cobalt Strike, all of which are used to share Ryuk ransomware.
Most ransomware attacks begin with a phishing email, so it is crucial to ensure that anti-phishing cybersecurity solutions are properly configured, and for employees to receive regular training to help them spot phishing and social engineering attacks.
While the vast majority of phishing attacks take place during business hours, ransomware attacks mostly only begin during the weekend and during holidays, when monitoring by security staff is likely to be minimal. Healthcare groups are advised to increase their security during the weekend and during holidays to detect attacks that are ongoing.
Weaknesses in software and operating systems are often targeted in order to obtain access to healthcare networks, so swift patching is important, but in healthcare it is not always possible for patches to be run. Check Point advises implementing an intrusion prevention system (IPS) with virtual patching capabilities that can prevent the exploitation of flaws in systems and applications that are unable to be patched. Anti-ransomware cybersecurity solutions should also be installed hat have a remediation feature that can prevent attacks within minutes if ransomware is focused on your databases.