Ransomware, Risk Assessments/Management, Threat Management

Ransomware groups keep healthcare in sights, selling access on the dark web

The rate of sales for the healthcare network access to ransomware groups and affiliates has remained constant from the end of 2021 through the first half of the year. (Photo credit: “USNS Comfort (T-AH 20) Performs Surgery” by NavyMedicine is marked with CC PDM 1.0.)

Data from the Department of Health and Human Services Cybersecurity Program shows the rate of initial access brokers selling access to healthcare networks to ransomware groups and affiliates has remained constant from the end of 2021 through the first half of the year.

The new HC3 report on ransomware trends for 2022 so far confirms the sale of access to global healthcare entities on dark web forums has also remained consistent during the assessed time period. The concern is that the brokers are further enabling ransomware-as-a-service groups to focus more on the development of payloads and coordinate operations with affiliates.

In total, VPN and RDP access accounted for more than half of these forum advertisements, followed by compromised Citrix VPN appliances with 23% of the overall total. With a total of 0.07% each, Fortinet, RDWEB, and PulseSecure make up the remaining healthcare access list.

The report notes this targeting is likely tied to the accelerated adoption of remote access and cloud applications brought on to support the COVID-19 pandemic response, as often these access points were adopted without the implementation of basic security tools.

HC3 also outlined the three leading ransomware trends seen in 2022, so far. Healthcare entities should review these elements to better understand prioritization needs across the enterprise.

The primary ransomware actors targeting the healthcare sector are LockBit 2.0 and Conti, each with 31% of the total global healthcare attacks in H1 2022. Suncrypt accounted for 16% of the attacks, followed by ALPHV and Hive, both with 11% of the total attacks.

Most notably, Conti was behind the massive Ireland Health Service Executive attack in the summer of 2021, which left the country’s healthcare system offline for several months in the midst of a COVID-19 surge. The initial cost estimates reached more than $600 million.

The HC3 alert also warns that two financially motivated groups have shifted into ransomware operations. F1N7 began the shift at the end of last year and are tied to Maze, Ryuk, and one of the latest operators, ALPHV/BlackCat, while April 2022 reports show that “ransomware attacks conducted by FIN12 could reportedly be achieved in less than two days, compared to the previous timeframe of five days, when the group was first identified.”

FIN12 has specifically targeted the healthcare industry, leveraging Ryuk, Beacon, SystemBC, and Metasploit variants and is behind “some of the most prolific intrusions seen throughout 2021.”

Legitimate tools increasingly used by ransomware groups to avoid detection

Lastly, ransomware groups are increasingly using legitimate tools during ransomware intrusions to evade detection, including remote access, encryption, file transfer, and open-source tools. In these, “living off the land” attacks, hackers use tools from the targeted environment instead of deploying customized tools and malware, enabling their actions to blend in with normal tasks.

The HC3 report contains a full list of the commonly leveraged tools, as well as the relevant detection opportunities and ATT&CK techniques.

Although there have been far fewer ransomware-related disruptions reported in the U.S. sector this year, so far, the report confirms that hackers are continuing to work behind the scenes for future nefarious activities. As such, HC3 is urging sector leaders to employ recommended mitigations, including reducing the attack surface and disabling certain, unnecessary functions.

“Financially motivated and state-sponsored threat actors are highly likely to continue to evolve their tactics,” the report authors wrote. “Living off the Land (LotL) techniques leveraging legitimate tools are difficult but possible to detect.” Using a behavior-based approach, ”a modern security information and event management (SIEM) tool can detect these techniques."

And although some types of attacks can’t be easily mitigated with preventative measures given the “abuse of system features, there are detection opportunities for these techniques,” they added.

Fortunately, the healthcare sector has a long list of resources to pull from that can support best practice mitigation of the leading ransomware threats, including those from HHS, Mitre, and the Health Sector Coordinating Council’s Cybersecurity Working Group.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.