New Data Reveals Degree of Ransomware Attacks on the Healthcare Sector

The CyberPeace Institute has introduced new data on cyberattacks in the healthcare sector. Based on the most recent statistics, 295 cyberattacks are known to have been performed on the healthcare industry in the previous 18 months between June 2, 2020, and December 3, 2021. The attacks were occurring at a rate of 3.8 each week and have happened in 35 countries.

Those attacks consist of 263 incidents that were either affirmed as ransomware attacks (165) or are believed of involving ransomware (98), with those attacks happening in 33 nations at 3.4 incidents per week. Over the past 18 months, a minimum of 39 different ransomware groups have carried out ransomware attacks on the healthcare sector. Those attacks have mainly targeted patient care services (179), then pharma (35), medical manufacturing & development (26), and other medical agencies (23).

The CyberPeace Institute analyzed darknet publications, communication with ransomware gangs, and interviews and recognized 12 ransomware gangs that had mentioned they would not carry out attacks on the healthcare industry during the pandemic, yet still carried on to attack healthcare companies, with at least six of the 12 having done attacks on hospitals.

The definition of healthcare employed by the groups varies from what a lot of individuals would believe to be medical care. For instance, although all 12 of the ransomware gangs stated they wouldn’t target hospitals, many utilized vague words to describe healthcare, for instance, medical companies. Although that may show all healthcare was off-limits, numerous gangs regarded the pharmaceutical market to be fair game, considering that pharma firms were profiting from the pandemic.

Three ransomware operations confessed mistakes had been made and healthcare companies were attacked in error. They mentioned publicly that if a mistake is committed, the keys to decrypt files would be provided at no charge. Nonetheless, there were instances where there was some argument with regards to whether an entity was considered in the gangs’ definitions of exempt institutions.

It must be mentioned that whenever an attack happens and files are encrypted, the ruin is already there. Even when the keys to decrypt information are given cost-free, the attacked agencies still experience interruption to business functions and patient services. The way to restore data from backups is not an easy process and attacked companies still need to cover substantial mitigation fees. 19% of attacks were established as causing canceled consultations, 14% had patients redirected, and 80% had suffered the exposure or a leak of sensitive information.

The CyberPeace Institute stated a number of threat actors have specifically targeted the healthcare market. One example given was a member of the Groove ransomware operation who was actively looking for preliminary access brokers who can give access to healthcare sites. The Groove ransomware operation had the biggest percentage of healthcare targets than other fields according to its data leak website.

Data from Mandiant have shown that 20% of ransomware victims are in the healthcare industry, indicating the industry is being greatly targeted. The FIN 12 threat actor is well-known to target the healthcare industry, and ransomware operations for example Pysa, Conti, and Hive have big percentages of healthcare institutions in their listings of victims (4%, 9%, and 12% respectively).

Though there was some targeting of the medical care industry, a lot of ransomware gangs utilize spray and pray techniques and indiscriminately perform attacks that lead to the attack of healthcare providers being attacked together with all other industries. These attacks frequently involve attacks on Remote Desktop Protocol (RDP), indiscriminate phishing campaigns, or brute force attacks to guess weak passwords.

Regardless of whether the targeting of healthcare companies is by mistake, design, or indifference, ransomware operators are operating with impunity and are de facto characterizing which companies represent legitimate targets and what is off-limits. Their simplified distinctions disregard the complexities and interconnectedness of the healthcare field, in which assaulting pharmaceuticals during a pandemic can have an equally harmful human impact as attacking hospitals.