Threat actors are always on the lookout for pain points — manufacturing systems that can’t afford to go offline, critical infrastructure that can cause disruptions to everyday life or risks to human safety and, unfortunately, the health care sector. As COVID-19 cases were spiking across the country in late 2020, ransomware attackers took advantage of the chaos to strike dozens of U.S. hospital systems.
Over a 24-hour period in late October 2020, six hospitals across the United States were hit in a coordinated cyberattack that further stressed already overtaxed systems and put patient lives at risk. Criminals, believed to be from Russia, demanded a ransom of more than $1 million to unlock the systems.
Targeting health care
Health care organizations have long been a target of ransomware because, put simply, they’re likely to pay the ransom, with patient care and safety at stake. In April 2020, Parkview Medical Center in Colorado was forced to revert to paper and pencil after being hit with a ransomware attack. But targeting multiple hospital systems at once in the throes of a global pandemic was a worrying escalation that could portend future attacks. If there were ever rules as to what is a viable target for malware, those now seem to be out the window in the interest of banking a hefty profit.
Shortly after the attacks went public, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and the Department of Health and Human Services (HHS) released a joint advisory warning of the growing threat to health care, which CISA defines as a critical infrastructure sector.
“[There is] credible information of an increased and imminent cybercrime threat to U.S. hospitals and health care providers. CISA, FBI, and HHS are sharing this information to provide warning to health care providers to ensure that they take timely and reasonable precautions to protect their networks from these threats,” read the joint advisory.
Among the key findings, the groups warned malicious cyber actors are targeting the health care sector with TrickBot and BazarLoader malware, often leading to ransomware attacks, data theft and the disruption of health care services. This threat is compounded by the COVID-19 pandemic, which has resulted in overcrowded and overtaxed hospitals already struggling to deliver care.
“The cybercriminal enterprise behind TrickBot, which is likely also the creator of BazarLoader malware, has continued to develop new functionality and tools, increasing the ease, speed and profitability of victimization,” the release went on.
TrickBot began as a banking trojan and descendant of Dyre malware, but it now provides threat actors a full suite of tools to conduct illegal cyber activities, including credential harvesting, mail exfiltration, crypto mining, point-of-sale data exfiltration and the deployment of ransomware, such as Ryuk and Conti.
According to the advisory, threat actors are increasingly using loaders — like TrickBot and BazarLoader (or BazarBackdoor) — as part of their malicious cyber actions. These are typically delivered via phishing campaigns that contain either links to malicious websites that host the malware or attachments with the malware. Loaders start the infection chain by distributing the payload and then deploying and executing the backdoor and installing it on the victim’s machine.
According to an HHS Cybersecurity Program report, this strike was deemed as a coordinated attack designed to disrupt hospitals all around the country. Threat actors know the cost of a ransomware or malware attack to a hospital’s operations. Research by Coveware claims ransomware attacks cause 15 days of electronic health record (EHR) downtime per year, on average. Medical data is also very valuable and must remain confidential, meaning it can fetch a high price.
Shortly after the attack, a doctor at an affected hospital told Reuters the “facility was functioning on paper after an attack and unable to transfer patients because the nearest alternative was an hour away. …We can still watch vitals and getting imaging done, but all results are being communicated via paper only.”
In 2020, Emsisoft reported that 560 health care facilities were impacted by ransomware attacks in 80 separate incidents, and the HHS reported ransomware attacks were responsible for almost 50% of all health care data breaches in 2020.
The RYUK factor
One of the biggest perpetrators of attacks on the health care sector has been Ryuk, a notorious Eastern European gang. They’ve accounted for about one-third of the 203 million ransomware attacks in the U.S. in 2020. The Wall Street Journal reported Ryuk has attacked at least 235 general hospitals and inpatient psychiatric facilities, plus dozens of other health care facilities in the U.S. since 2018. Ryuk uses many different delivery methods and can be deployed via other malware families, like TrickBot.
So what can be done about Ryuk and future attacks on health care systems? The HHS said that due to the tenacity of the new Ryuk variant, prevention is a more effective tool than mitigation or remediation.
Ryuk infections most commonly begin with the deployment of a dropper malware to get a foothold in the victim’s machine. CISA’s Alert (AA20-302A) on Ransomware Activity Targeting the Health care and Public Health Sector recommends the following mitigations:
- Patch operating systems, software and firmware as soon as manufacturers release updates.
- Check configurations for every operating system version for health care and public health organization-owned assets to prevent issues from arising that local users are unable to fix due to having local administration disabled.
- Regularly change passwords to network systems and accounts, and avoid reusing passwords for different accounts.
- Use multi-factor authentication (MFA) where possible.
- Disable unused remote access/remote desktop protocol (RDP) ports and monitor remote access/RDP logs.
- Implement application and remote access to only allow systems to execute programs known and permitted by the established security policy.
- Audit user accounts with administrative privileges and configure access controls with least privilege in mind.