As COVID-19 ravages international healthcare systems, cybercriminals have decided to leverage the increasingly dire circumstances to squeeze a few bucks out of the human suffering.
According to new findings from Check Point Software, healthcare organizations have seen a 45-percent increase in cyberattacks since November, which is more than double other industry sectors, with an average 22-percent increase.
Researchers said these attacks include botnets, remote code execution and DDoS, but it’s ransomware that’s really become the weapon-of-choice against healthcare organizations.
“Ransomware attacks against hospitals and related organizations are particularly damaging, because any disruption to their systems could affect their ability to deliver care and endanger life – all this aggravated with the pressures these systems are facing trying to cope with the global increase in COVID-19 cases,” the Check Point report said. “This is precisely why criminals are specifically and callously targeting the healthcare sector: because they believe hospitals are more likely to meet their ransom demands.”
The report added that the primary two ransomware variants used are Ryuk and Sodinokibi.
“The number of cyberattacks on the global healthcare sector are simply getting out of control. And so, the questions at large are why hospitals? Why now?” Check Point’s manager of Data Intelligence, Omer Dembinsky, said about the findings. “The short answer is that targeting hospitals equates to fast money for cybercriminals. These criminals view hospitals as most willing to meet demands and actually pay ransoms.”
The fact that the criminals are using Ryuk shows they’re getting more professionalized and targeted in their campaigns, he added.
“The usage of Ryuk emphasizes the trend of having more targeted and tailored ransomware attacks rather than using a massive spam campaign, which allows the attackers to make sure they hit the most critical parts of the organization and have a higher chance of getting paid,” he noted.
Ryuk Ransomware & Health Care
In October, a joint advisory from the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and Department of Health and Human Services warned on the Ryuk ransomware, and later updated it to include Conti, TrickBot and BazarLoader. The advisory also pointed to an open-source tool to track TrickBot command-and-control (C2) servers.
The report explained that TrickBot and BazarLoader work as first-stage trojans to deploy ransomware, the most popular of which is Ryuk. Once the Ryuk actors are inside, they will map and enumerate the network. Then they can wait until they’re ready to strike, the report explained.
“Once dropped, Ryuk uses AES-256 to encrypt files and an RSA public key to encrypt the AES key,” the advisory explained. “The Ryuk dropper drops a .BAT file that attempts to delete all backup files and volume shadow copies (automatic backup snapshots made by Windows), preventing the victim from recovering encrypted files without the decryption program.”
That’s when the organization is contacted with ransom demands, and for many healthcare organizations fighting to keep up with patients, vaccines and staff shortages, paying the ransom is the only way to keep life-saving work going.
The first glimpses of the rise of ransomware attacks along with COVID-19 cases came last spring when researchers spotted malware campaigns against Canadian government healthcare systems.
The cases have skyrocketed since, especially this fall. Check Point said that in October the weekly number of attacks against healthcare organizations averaged 430, and by November, it had reached 626.
Ransomware-as-a-service has made it easy for criminals with little technical know-how to get in on the criminal enterprise, according to Limor Kessem, executive security advisor for IBM Security.
“You don’t just get cybercriminals doing cybercrime, there are really organized gangs that are added as well and they’re the ones that are causing the biggest trouble,” Kessem said during a recent Threatpost webinar devoted to ransomware. “Those are the ones who are asking hospitals to pay $42 million.”
These gangs are powered by purchased services that require little technical know-how.
“I think that we’ve also seen how much more ransomware-as-a-service is being offered and used.” Kessem added. “Really it’s just software-as-a-service there. We have these people who are non-technical or who are just really looking to make some money. And they’re able to use these tools to get in on this.”
Turns out nothing is sacred when there’s money to be made.
The good news is that there are things that healthcare systems and organizations can do to get ahead of the next ransomware attack. For one, Check Point urges security professionals to keep an eye out for TrickBot, Emotet, Dridex and Cobalt Strike infections on their networks.
“All of these can open the door for Ryuk,” Check Point’s report advised.
And remember, criminals don’t take weekends or holidays off, so Check Point reminded IT staffs to keep their guard up outside of normal business hours.
Besides that, tried-and-true employee awareness education, anti-ransomware tools and regular patching are basic, critical steps every organization should take.
“As the world’s attention continues to focus on dealing with the pandemic, cybercriminals will also continue to use and try to exploit that focus for their own illegal purposes – so it is essential that both organizations and individuals maintain good cyber-hygiene to protect themselves against COVID-related online crime,” according to Check Point.
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!