In the fall of 2020, a warning was issued to the healthcare and public health sector following a spike in ransomware activity. The joint CISA, FBI, and HHS cybersecurity advisory explained that the healthcare industry was being actively targeted by threat actors with the aim of infecting systems with ransomware. Several ransomware gangs had stepped up attacks on the healthcare and public health sector, with the Ryuk and Conti operations the most active.
A new report from Check Point shows attacks continued to increase in November and December 2020, when there was a 45% increase in cyber-attacks on healthcare organizations globally. The increase was more than double the percentage rise in attacks on all industry sectors worldwide over the same period. Globally, there was an average of 626 cyberattacks on healthcare organizations each week in November and December, compared to 430 attacks in October.
The vectors used in the attacks have been varied, with Check Point researchers identifying an increase in ransomware, botnet, remote code execution, and DDoS attacks in November and December; however, ransomware attacks showed the largest percentage increase and ransomware remains the biggest malware threat.
Conti ransomware continues to pose a threat and has been used in many healthcare industry ransomware attacks, although Ryuk remains the most commonly used ransomware variant, followed by Sodinokibi. The biggest increase in attacks was in Central Europe, which saw a 145% spike in attacks, followed by East Asia (137%) and Latin America (112%). There was a 67% rise in attacks in Europe and a 37% increase in North America. The country with the biggest increase was Canada, which saw attacks increase by 250%.
Ransomware attacks are financially motivated. Ransomware gives threat actors a large payout in a matter of days after conducting an attack and ransoms are often paid to allow files to be restored or to prevent the release or sale of stolen sensitive data. The healthcare industry is targeted because there is a higher probability that a ransom will be paid than attacks on other industry sectors. Healthcare providers need to restore access to patient data quickly to ensure care can continue to be provided to patients, especially at a time when there is tremendous pressure due to the number of new patients requiring treatment for COVID-19.
While it is still common for ransomware to be distributed via spam email and exploit kits, the attacks on the healthcare industry have been highly targeted, with the main ransomware variants used in the attacks delivered manually. Initial access to healthcare networks is gained using a variety of methods. Many ransomware attacks start with phishing emails that deliver Trojans such as Emotet, TrickBot, and Dridex. Check Point advises security professionals to search for these Trojans on the network, along with Cobalt Strike, all of which are used to deliver Ryuk ransomware.
Many ransomware attacks start with a phishing email, so it is important to ensure that anti-phishing cybersecurity solutions are implemented, and for employees to receive regular training to help them identify phishing and social engineering attacks.
While most phishing attacks occur in the week during business hours, ransomware attacks commonly commence over the weekend and during holidays, when monitoring by security staff is likely to be reduced. Healthcare organizations are advised to raise their guard over the weekend and during holidays to detect attacks in progress.
Vulnerabilities in software and operating systems are commonly exploited to gain access to healthcare networks, so prompt patching is vital, but in healthcare it is not always possible for patches to be applied. Check Point recommends using an intrusion prevention system (IPS) with virtual patching capabilities that can prevent the exploitation of vulnerabilities in systems and applications that cannot be patched. Anti-ransomware cybersecurity solutions should also be used that have a remediation feature that can block attacks within minutes if ransomware is deployed.