Ransomware Attackers Likely to Target Small to Medium-Sized Healthcare Organizations

A new RiskIQ report stated that ransomware groups are focusing their campaigns on smaller healthcare companies and clinics. Healthcare companies having less than 500 workers account for 70% of all reported healthcare ransomware attacks that succeeded since 2016.

RiskIQ’s studied 127 healthcare ransomware attacks and revealed that attacks from 2016 to 2019 increased by 35%. 51% of ransomware attacks were on hospitals and healthcare centers, 24% were on medical practices, and 17% were on health and wellness facilities.

Smaller healthcare providers most likely have less effective cybersecurity defenses than larger healthcare providers. RiskIQ states that 85% of SME hospitals lack a qualified IT security officer, thus gaps in security are not addressed. Paying the ransom is the more likely action in order to stay clear of the expensive downtime due to an attack. If the ransom is not paid, recovery often takes several weeks.

A Perfect Storm of New Targets and Methods

According to the RiskIQ intelligence brief “Ransomware in the Health Sector 2020,” there’s “a perfect storm of new targets and methods” because of the digital trend in healthcare. However, recent incidents exposed the healthcare sector to a lot more attacks. The 2019 Novel Coronavirus outbreak has spurred healthcare companies to come up with big changes. Almost instantaneously, there was decentralization of workforces and business operations. Hence, the protection gaps widened and visibility into attack surfaces decreased.

A number of ransomware groups have stated their intention not to attack healthcare providers throughout the COVID-19 public health emergency. However, a few groups would not do the same. It is easier to attack nowadays and they’re taking advantage of the situation. Cybercriminals are taking advantage of coronavirus problems, therefore, there’s a surge in malicious online activities that will likely affect healthcare amenities and COVID-19 responders.

Ransom Payment is Not a Guarantee of File Recovery

16% of healthcare ransomware attack victims claimed they paid ransom money to obtain the file decryption keys. The average ransom payment associated with those attacks was $59,000. Although paying the ransom is a solution, the FBI does not recommend it because it only promotes more attacks and the recovery of files is not 100%. In fact, a Wall Street Journal article mentioned that less than 50% of the decryption keys are not working, therefore some data loss is unavoidable even after paying the ransom. There were also instances that the attackers required another payment after paying the initial before providing the decryption keys. Paying a ransom additionally communicates a message to ransomware gangs that this target is very likely to pay if attacked, and so the healthcare provider might be targeted again by the attacker or others.

Ransomware gangs utilize a number of ways to access healthcare networks to install ransomware. One way is to use spam email to fool the healthcare employee into clicking malicious url links that download ransomware or opening email attachments that contain ransomware downloaders. Software vulnerabilities, particularly in Remote Desktop Protocol, are often exploited. Because a great number of employees are now using healthcare networks remotely through Virtual Private Networks (VPNs), ransomware gangs are also targeting VPN vulnerabilities. A number of vulnerabilities were identified in VPN facilities during the past year. Though patches are available to resolve flaws, they are usually not employed.

Action Steps to Minimize Risk and Stop Ransomware Attacks

Be sure to make backups regularly so that files can be recovered when an attack occurs. However, the backups do not guarantee data restoration. A number of threat gangs are performing manual ransomware attacks and use up a lot of time in network access prior to deploying ransomware. In addition, sometimes the attackers insert their ransomware even into backup systems to encrypt backups also.

RiskIQ recommends healthcare providers to store the created backups offline, or on other networks. Encryption of saved data is likewise essential. There was a growth in information stealing before ransomware deployment. When information is coded, even though it is stolen the attackers cannot access the information.

RiskIQ highlights the value of having an incident response strategy, because this is going to help make sure attacks are mitigated immediately to lessen damages. It is also very important to apply patches quickly.

During the COVID-19 crisis, make sure that all digital assets connecting to an external organization are monitored and secured, because attackers are looking for these gadgets.

It is furthermore crucial to get the workforce ready and train the employees to recognize threats like phishing attacks. Phishing simulation exercises could help to cut down susceptibility to ransomware attacks. IT groups must also be updated on the most recent attack trends that constantly change.