To say that healthcare was a busy vertical in 2020 might be the understatement of the previous decade and probably the next. We can all point to the pandemic as the largest event for healthcare, but unfortunately, not too far behind it is the current ransomware campaigns continuing to plague healthcare providers around the world in 2021.
Ransomware is defined as an attack against a computer or a system that renders the devices either temporarily or permanently unusable or inaccessible until a ransom is paid. This certainly is not a new issue in cybersecurity. Ransomware attacks have been a bane to the field for a long, long time. What is truly interesting is what has occurred over the last year specifically involving the impact on healthcare cybersecurity and ransomware attacks.
Healthcare Cybersecurity and the Ransomware Attacks of 2020
A quick review of ransomware attacks against healthcare organizations in 2020 shows a sobering view and would be anything but “quick” to research.
Let’s hit some of the major points.
- 239.4 Million attempted attacks in 2020 directed at healthcare Companies
- 560 healthcare Providers fell victim to malware attacks
- UVM Health Network systems were incapacitated for 40 days
- Ryuk hit Six (6) Hospitals over a 24-hour period
- Universal Health Systems’ network was down for 8 days
- Nebraska Medicine had to revert to paper tracking for days
- Healthcare ransomware attacks increased 71% from September to October and then increased another 45% in November.
- UHS Ransomware attack cost the company approximately $67M in losses
It’s not a pretty list, and those are just some of the highlights. So, what changed? Why have we seen such an increase in this activity in just one vertical?
What Changed for Healthcare Cybersecurity?
Healthcare Became the #1 Target for Cyber Criminals
The reason for the dramatic increase in healthcare can be summed up with a military term pretty well: “Fire for Effect”. Hackers are human. There is a human mind behind the keyboard directing attacks and modifying proven tools and building new ones. And while the rest of the world had a pretty bad year in 2020, healthcare was the epicenter as it relates to the pandemic, and bad actors were already on the hunt, looking for high-value targets with lots of money and resources.
The hacking industry (and it is an industry) is built off attempting to take as much money as possible as quickly and in the easiest way possible. Hackers knew that healthcare in 2020 had the funds and not the time to deal with issues, and due to environmental constraints, the focus on security just wasn’t there.
Healthcare in 2020 was a target-rich environment for hackers. The healthcare industry was not, and still is not, realistically capable of pausing “production” systems, taking them offline to restore from backup, and restoring them to then continue business. There just isn’t time – patients don’t pause being sick because the computers are down. And since cyber criminals are 100% opportunists, their healthcare targets, regardless of the human lives involved, were the easiest to attack to maximize profits in 2020.
Patient Care Took Priority Over Cybersecurity
This just needs to be said. We all know it. But just to drive the point home. Healthcare had bigger fish to fry in 2020 than security. Keeping the focus on patients amid a global pandemic is not a suggestion. IT project and Security project funding had been pushed. Healthcare budgets, thought to be secure, were being cut as profitable operations were pushed to the side.
So, updated tooling and defense capabilities might have been pushed backwards or cut entirely. However, when a patient’s life was lost due to a ransomware attack in Europe, it’s critical for security investments to be prioritized again in 2021 to minimize the biggest impact – the potential loss of human life due to a cybersecurity event. These are lessons learned that security leaders are still unpacking in 2021.
Ransomware Crime Coordinated Hacking Actions
Hackers “have operationalized against healthcare almost as a business model,” Wes Spencer – Perch Security
The Ryuk ransomware has led the charge in ransomware, specific to healthcare, in 2020. Ryuk first made an appearance in 2018 and is credited with gathering over 61 Million in ransoms from US businesses in 2019 based on a report from the FBI. 2020 started slow for Ryuk with more activity being seen by other families or variants; Conti specifically. September 2020 that changed with an updated version of Ryuk being spotted. Sophos has a good write up on the details of the variant seen here: “They’re back: Inside a new Ryuk ransomware attack”
What makes the new variant more dangerous is the combination of tools that have been seen in its use. Ryuk has traditionally been distributed on its own or as a dropper as part of TrikBot or Emotet. The industry has seen a new dropper, BazarLoader or BazarBackdoor, in use as well. Ryuk’s new variants are also taking advantage of major new zero days such as ZeroLogon to spread throughout a network faster than ever before.
US-Cert Released a National Cyber Awareness System Alert around the Target Ransomware threat: Alert (AA20-302A)
Maze and REvil
Ryuk has gotten a lot of credit for the attacks in healthcare, as it has caused the most direct damage so far, but there are other forms of malware involved currently.
Maze is a particularly nasty piece of malware that seems to have led the charge on causing as much damage as possible. Not only is Maze a piece of ransomware that will lock out or destroy data it also includes exfiltration methods for data discovered and encrypted. Imagine paying a ransom for critical user or customer data, to only find out that the keys sent back don’t work or to never get keys after paying the ransom and to then find out the customer data you lost is currently for sale on the dark web. That’s Maze. Crowdstrike has a good brief on Maze here.
REvil (Sodinokibi) is another ransomware that is following the same path that Maze has laid out. It is an older piece of malware, being based on GandCrab, but has a faster version cycle than Maze or Ryuk and REvil is a RaaS (Ransomware-as-a-Service). If you ever thought that hacking was not a business, this ransomware should correct your thinking. The major difference in the business model between REvil and Maze seems to be that REvil is going to try and sell you your data back, while Maze seems to just take it straight to dark web auction.
Coordinated Ransomware Attacks and Double-Extortion
So let’s review. The healthcare industry is critical and stressed. We have hacking groups that have proven to be successful at infecting this vertical and extracting either ransoms, or data to sell on the dark web, or in some cases, both – now known as “double-extortion” schemes. It’s just not a good situation for the good guys. The bad guys not only have effective tools but due to the amount of money and how critical the targets are currently, they are working together and coordinating amongst themselves. New variants are constantly being created and the groups are learning from each other on what works and what didn’t. They are literally selling ransomware code and SUPPORT for that code on the dark web. They are in business, and, unfortunately, the business of cyber crime right now is very, very good.
But not all is doom and gloom. There are effective means to keep these groups at bay.
Healthcare Leaders Have to Admit They Have a Problem
Security is a complex field. There are lots of things out there to worry about, and the current ransomware attacks and field of zero-days that have been announced certainly need attention. But, and this is critical, from a cybersecurity stance, we can’t just focus on these recent spates of attacks. Maze, REvil, and Ryuk are bad and complex. But in order to do harm, they have to first get into the network to cause problems, and second, they have to be able to laterally move through the network. If security teams working in healthcare can begin to manage those risks, the threats will be minimized. This requires a holistic approach to threat management and investing in security to protect and defend patient care.
The point here is to not miss the forest for the trees.
Expand Your View to Manage the Security Risks
To see the forest from the trees, you need to step back. Review the larger landscape and get a better grasp of what information is important at that time and what isn’t. This isn’t always easy to do especially on your own.
Focus on Endpoint Management – Because It’s Always the Endpoint
While focus on the protection and monitoring of the collapsing perimeter and trying to monitor email, and cloud for phishing attacks or other styles of intrusions is critical; it usually comes down to a user clicking on something they shouldn’t, smoke for visibility, and endpoints that are not locked down or don’t have adequate detection and prevention capabilities.
Endpoint issues can be based on technologies in use, policies deployed, or detection and prevention capabilities that haven’t been consistently updated.
Endpoint management and understanding your environment, to the best that you can, is the most effective means of protecting your company from coordinated and sophisticated attackers.
To do it well though, healthcare security teams need some help with the ability to help understand and focus monitoring. They need to determine risk and criticality of assets or entire sections of the environment and be fully prepared to coordinate responses across multiple technologies and locations. They will need to do this 24 hours a day, 7 days a week, 365.25 days in a year. For most healthcare organizations, a qualified cybersecurity partner will be needed to supplement the work of the in-house security team.
Deepwatch is a security Partner. I think it is important to point out that we don’t capitalize the “d” in our name but we will always capitalize the “P” in partner. Our named squads and multiple service and product offerings can help our healthcare clients understand the focus of their logs and clear the smoke for better visibility on what is currently deployed. Our technology and experts help healthcare organizations understand assets, like medical IoT, so they have a full picture of what their environment actually looks like for risky and business critical devices. In order to manage endpoint devices, Deepwatch helps ensure that our healthcare customers are leveraging the latest protections and that their valid policies have been updated and deployed correctly.
Deepwatch’s CTO Corey Bodzin published an article on Forbes detailing healthcare cybersecurity for ransomware attacks. In the article, he explains the threats facing the healthcare industry and how partnering with a managed detection and response provider can lead to improved protection and reduced risk.