A new Department of Health and Human Services Cybersecurity Program alert is reminding the healthcare sector of ongoing cyberattacks by the Mespinoza cybercriminal group, which has highly targeted the healthcare sector over the last two years with Pysa ransomware and other cyber threats.
HHS previously found that Pysa is among the top 10 ransomware threats to healthcare. It’s a cross-platform variant “and versions are developed in both the C++ and Python languages.”
“Although the Pysa variant has only been known to be operating since December 2019, it quickly became one of the more prolific threats against healthcare,” according to the alert. Data shows that “Pysa was one of the most aggressive among all ransomware groups in targeting healthcare over the last two years.”
Given the continued threat Mespinoza poses to healthcare, HHS is urging healthcare provider organizations to review the alert and adhere to industry-standard ransomware guidance to prevent successful exploits. The alert contains indicators of compromise and attack methods.
Mespinoza operates the “Pysa’s Partners” data leak site that leans on data extortion techniques to compel victims to pay. The U.S. is the group’s top target, which includes a range of sectors, such as education, utilities, and business services.
But the hackers have most notably targeted the public health and healthcare sectors over the last two years. In fact, while a number of threat actors falsely claimed they would leave healthcare providers alone during the COVID-19 pandemic, Mespinoza made it a point to both threaten and follow through with healthcare-specific attacks.
One of the most recent Pysa leaks was a post of multiple zip files the group claimed to have stolen from One Community Health, Woodholme Gastroenterology Associates, and Spartanburg & Pelham OB-GYN in September 2021.
Other purported healthcare victims include Assured Imaging, Nonin Medical, Piedmont Orthopedics/OrthoAtlanta. Assured Imaging is currently fighting a class-action lawsuit, after Mespinoza posted patient data allegedly stolen from the Arizona provider.
First observed in October 2018, the group is financially motivated. Outside of Pysa, Mespinoza leverages a number of tools that include ADRecon, Advanced Port Scanner, DNSGo RAT, Mimikatz, PEASS, and PowerShell Empire.
HHS warns that as of November 2021, the group has claimed 190 global victims through ransomware attacks alone — six of which were from the healthcare sector. Cyber Peace Institute research shows Pysa launched some of the largest ransomware attacks against healthcare targets during the pandemic.
The HHS alert details the standard execution flow Pysa follows during its attack, including how it begins through the creation of a mutual object exclusion “which it does for the same reason legitimate applications do — to ensure two processes or threads don’t attempt to write to the same memory space simultaneously.”
And much like other ongoing sophsiticated threats, Pysa is also known to perform basic reconnaise functions on the victim’s drives by leveraging the GetLogicalDriveStringsW, GetDriveTypeW, and CreateThread APIs.
Healthcare organizations should review the alert to find deep-dive insights into the IOCs and attack methods to assess their systems for key vulnerabilities, particularly as Pysa is known to leverage remote desktop protocol, PowerShell Empire, and Kodiac for its C2 communications.
Further, Pysa’s fundamental attack methods are not significantly different than other ransomware variants. Rather, the concern is the aggressive nature of the attack flow. As such, healthcare providers can rely on previously provided ransomware insights to shore up defenses.
HHS Office for Civil Rights previously released guidance for highly targeted ransomware attacks, while Mitre has a ransomware resource page specific to the healthcare sector.
The HHS alert also reminds healthcare organizations of the importance of employing defense-in-depth measures, an effective vulnerability management program, and the principle-of-least-privilege, along with leaning on multiple layers of filtering and threat detection applications.
“An effort should be made to constantly gather and deploy indicators of compromise in accordance with the organizational risk management plan. It’s worth noting that infrastructure associated IoCs often are often abandoned by cybercriminals after they become public but can also be reused over time as well,” HHS concluded.
