Guidance for Healthcare Organizations on Avoiding and Identifying Human-Operated Ransomware Attacks

There was an increase in human-operated ransomware attacks on healthcare providers and critical infrastructure during the COVID-19 crisis. Many attacks have happened on healthcare providers in the last weeks, which include Parkview Medical Center, Brandywine Counselling and Community Services and ExecuPharm.

A lot of ransomware attacks are programmed and begin with a phishing email. As soon as ransomware is installed, it usually starts encryption within one hour. Human-operated ransomware attacks are not so. Access is acquired to systems a few weeks or months prior to the deployment of ransomware. At that time, the attackers get credentials, go laterally, and gather and exfiltrate information before the ransomware encrypts files.

The attackers could stay dormant in systems for a few months before deploying the ransomware to make the most disruption. The COVID-19 crisis is the best time to deploy ransomware on healthcare providers and other institutions engaged in responding to COVID-19, since there is a greater likelihood that the ransom is going to be paid to make sure a fast recovery.

According to Microsoft’s data, in April’s first two weeks, many attacks were performed by a variety of advanced cybercriminal groups on healthcare organizations, research and pharmaceutical companies, medical billing firms, and dealers to the healthcare sector, alongside attacks on educational software companies, producers, government organizations, and aid organizations.

It was observed that human-operated ransomware attacks use the following 10 ransomware variants: Maze, RobbinHood, PonyFinal, Valet Loader, REvil (Sodinokibi), NetWalker, RagnarLocker, Paradise, LockBit and MedusaLocker. Though using different ransomware variants, the attacks typically happen in a similar manner. First, the attackers access the systems; Second, they steal credentials, proceed laterally, exfiltrate sensitive information, build persistence, prior to deploying the ransomware payload.

Microsoft has provided information about the way attackers access systems to help network defenders strengthen their defenses and prohibit attacks. Even though there are a few possible ways of assaulting an organization, the threat actors normally use similar methods to acquire access.

One of the often used methods of attack is via Remote Desktop Protocol or Virtual Desktop endpoints which lack multi-factor authentication, frequently using stolen credentials or via brute force strategies to guess weak passwords. With no multi-factor authentication, the attackers can use stolen credentials to access systems. Because valid credentials are employed, network defenders are not able to know the attackers accessing their networks.

Flaws in internet-facing systems are often exploited. Examples are misconfigured web servers, backup servers, EHRs, and systems management servers. Unpatched vulnerabilities are likewise frequently exploited. Some of the April 2020 attacks involved taking advantage of the Pulse Secure VPN flaw, CVE-2019-11510 and the Citrix Application Delivery Controller (ADC) vulnerability, CVE-2019-19781. Flaws in unsupported operating systems are additionally exploited. To prevent attacks, it is important to update operating systems and apply patches immediately after release.

These attacks do not deploy ransomware quickly to get a fast payout. All of the threat actors take their time to get administrative credentials and go laterally with the purpose of penetrating an organization’s entire system, including inboxes, EHRs, endpoints, and applications. Most of the attacks entailed data exfiltration with the intention to sell data for profit or to use it for nefarious purposes, or to compel organizations to pay the ransom.

The time frame from the preliminary compromise to the deployment of ransomware offers network defenders a chance to detect and prevent the attacks. Though threat actors attempt to cover their activity, it is likely to determine their activities when they move laterally. There should be network defenders that check activities that may signify an ongoing attack and other penetration-testing programs. Security logs must be inspected to find signs of tampering. Registry alterations and suspicious access to the Local Security Authority Subsystem Service (LSASS) should also be identified.

Microsoft also provides comprehensive advice on fortifying security to stop attacks and the guidelines for investigation, the seclusion of compromised endpoints, and restoration in case an attack is discovered.