At the end of October 2020, Checkpoint reported that hospitals and healthcare organisations had been targeted by a rising wave of ransomware attacks, with the majority of attacks using the infamous Ryuk ransomware. This followed a Joint Cybersecurity Advisory issued by the CISA, FBI and NHS, which warned of an increased and imminent cybercrime threat to US hospitals and healthcare providers.
Unfortunately, that cybercrime threat has worsened over the past two months. Since the start of November, there has been a further 45% increase in attacks targeting healthcare organisations globally. This is more than double the overall increase in cyber-attacks across all industry sectors worldwide seen during the same time.
The rise in attacks involves a range of vectors, including ransomware, botnets, remote code execution and DDoS attacks. However, ransomware shows the largest increase and is the biggest malware threat to healthcare organisations when compared to other industry sectors. Ransomware attacks against hospitals and related organisations are particularly damaging, because any disruption to their systems could affect their ability to deliver care, and endanger life – all this aggravated with the pressures these systems are facing trying to cope with the global increase in COVID-19 cases. This is precisely why criminals are specifically and callously targeting the healthcare sector: because they believe hospitals are more likely to meet their ransom demands.
Global overview of attacks
- Since 1 November 2020 there has been an increase of over 45% in the number of attacks seen against healthcare organisations globally, compared to an average 22% increase in attacks against other industry sectors.
- The average number of weekly attacks in the healthcare sector reached 626 per organisation in November, compared with 430 in October.
- Attacks involving ransomware, botnets, remote code execution and DDoS all increased in November, with ransomware attacks showing the biggest spike when compared to other industry sectors.
- The main ransomware variant used in attacks is Ryuk, followed by Sodinokibi.
Why are attacks spiking now?
The major motivation for threat actors with these attacks is financial. They are looking for large amounts of money, and fast. It seems that these attacks have paid off very well for the criminals behind them over the past year, and this success has made them hungry for more.
In September it was reported by German authorities that what appears to have been a misdirected hacker attack caused the failure of IT systems at a major hospital in Dusseldorf, and a woman who needed urgent admission died after she had to be taken to another city for treatment. No hospital or healthcare organisation would want to experience a similar scenario, increasing the likelihood of the organisation meeting the attacker’s demands in the hope of minimising disruption.
It is also important to note that unlike common ransomware attacks, which are widely distributed via massive spam campaigns and exploit kits, the attacks against hospitals and healthcare organisations using the Ryuk variant are specifically tailored and targeted. Ryuk was first discovered in mid-2018, and soon after, Check Point Research published the first thorough analysis of this new ransomware, which was targeting the United States. In 2020, Check Point researchers at CPR monitored Ryuk activity globally and observed the increase in Ryuk's use in attacks aimed at the healthcare sector.
The COVID-19 cyber landscape
The pandemic has affected every aspect of our lives, and the cyber-security landscape has not been spared. From an upsurge in the registration of coronavirus-related malicious domains, to the use of related topics in phishing and ransomware attacks, and even fraud advertisements offering Covid vaccines for sale, we have seen an unprecedented increase in cyber exploits seeking to compromise personal data, spread malware and steal money.
Medical services and research organisations became targets for attacks seeking to steal valuable commercial and professional information, or to disrupt vital research operations. The use of test and trace apps for tracking individuals, which previously would have caused strong privacy-related opposition, has widely been adopted around the world, and is expected to outlive the pandemic. As the world’s attention continues to focus on dealing with the pandemic, cyber criminals will also continue to use and try to exploit that focus for their own illegal purposes – so it is essential that both organisations and individuals maintain good cyber hygiene to protect themselves against Covid-related online crime.
Tips to prevent ransomware and phishing attacks
- Look for trojan infections - ransomware attacks do not start with ransomware. Ryuk and other types of ransomware exploits usually start with an initial infection with a trojan. Often this trojan infection occurs days or weeks before the ransomware attack starts, so security professionals should look out for Trickbot, Emotet, Dridex and Cobalt Strikeinfections within their networks and remove them using threat hunting solutions – as these can all open the door for Ryuk.
- Raise your guard towards the weekend and holidays– most ransomware attacks over the past year have taken place over the weekends and during holidays when IT and security staff are less likely to be working.
- Use anti-ransomwaresolutions – although ransomware attacks are sophisticated, Anti-Ransomware solutions with a remediation feature are effective tools which enable organisations to revert back to normal operations in just a few minutes if an infection takes place.
- Educate employees about malicious emails– training users on how to identify and avoid potential ransomware attacks is crucial. As many of the current cyber attacks start with a targeted phishing email that does not even contain malware, just a socially engineered message that encourages the user to click on a malicious link, or to supply specific details. User education to help identify these types of malicious emails is often considered one of the most important defenses an organisation can deploy.
- Virtual patching – the federal recommendation is to patch old versions of software or systems, which could be impossible for hospitals as in many cases, systems cannot be patched. Therefore, we recommend using an Intrusion Prevention System (IPS) with virtual patching capability to prevent attempts to exploit weaknesses in vulnerable systems or applications. An updated IPS helps your organisation stay protected.