HC3 Reveals Trends in Ransomware Attacks on the HPH Sector

The tactics, techniques, and procedures (TTPs) utilized by ransomware and other cyber threat actors are continually evolving to avert identification and let the groups carry out more successful attacks. The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) has assessed and shared the TTPs used in the 1st Q of 2022.

In Q1 of 2022, most of the ransomware attacks on the Healthcare and Public Health Sector (HPH) were carried out by five ransomware-as-a-service groups. The LockBit 2.0 and Conti ransomware groups were responsible for 31% of attacks, followed by SunCrypt (16%), ALPHV/BlackCat, and Hive (11% each). The financially motivated threat groups FIN7 and FIN12 have also altered their activities and have moved to ransomware operations, with FIN7 working with ALPHV and FIN12 substantially involved in attacks on the HPH segment. FIN12’s participation has lowered the timescale for performing attacks from 5 days to 2 days.

Ransomware gangs frequently work with initial access brokers (IABs) that concentrate on getting access to companies’ networks, then sell the access to the ransomware groups. Using IABs helps ransomware gangs focus on making their ransomware variants and operating their RaaS campaigns, which enables them to focus on their TTPs and perform attacks that succeed. HC3 did not observe any transformation in the numbers of IABs working with ransomware groups in Q1 of 2022, with the same numbers observed throughout 2022.

IABs were most often found promoting general VPN/RDP access to the systems of HPH entities on cybercrime discussion boards, which is more than 50 percent of forum advertisements, and about 25% of ads were promoting compromised Citrix/VPN appliances. Organizations broadly implemented remote access solutions to help a remote labor force for the duration of the COVID-19 pandemic, however the rush to deploy meant non-implementation of standard security features, and extensive exploitation of vulnerabilities.

Ransomware gangs are more and more making use of living-of-the-land (LOTL) strategies in their attacks, employing genuine tools that are already accessible in the settings of large firms during ransomware attacks like Task Scheduler, CMD.exe, PowerShell, Sysinternals, MSHTA. The usage of these tools helps the gang’s malicious activities harder to identify.

Tactics consist of using

  • remote access tools such as Atera, AnyDesk, Windows Safe Mode, ManageEngine, ScreenConnect
  • encryption tools like DiskCryptor, and BitLocker
  • file transfer tools such as FileZilla FTP,
  • Microsoft Sysinternals tools for instance Procdump, Dumpert, and PsExec
  • open-source tools like Cobalt Strike, Mimikatz, Process Hacker, AdFind, and MegaSync.

Although the malicious use of these tools is hard to identify by security groups, there are discovery opportunities. HC3 suggests utilizing a behavior-based strategy to detect, for example a Security Information and Event Management (SIEM) tool, which can discover malicious usage of LOTL tools which signature-based recognition tools cannot.

Read the HC3 Ransomware Trends in the HPH Sector Report on this page.  It gives comprehensive information regarding the TTPs utilized by each ransomware operation, which includes the most frequently abused LOTL tools, appropriate ATT&CK strategies, and a long list of mitigations that could be enforced to avoid, find, react to, and recover from ransomware attacks.