Ransomware Groups Use New Strategies for Attacking Victims to Increase Odds of Payment

Ransomware is still one of the most critical threats faced by the healthcare sector. Attacks can be extremely expensive to deal with, they can bring about substantial disruption to business functions, and can endanger patient safety. Ransomware groups are continuously altering their tactics, techniques, and procedures to get preliminary access to systems, avert security options, and easily recover without paying the ransom, and with a lot more victims not paying the ransom demand, ransomware groups have began adopting more aggressive strategies to force victims into paying the ransom.

Targeting Telemedicine Providers

Various strategies are utilized to obtain access to healthcare systems, which include remote access technologies like Remote Desktop Protocol (RDP) and VPNs and taking advantage of unpatched vulnerabilities, along with phishing a top attack vector. One of the newest phishing strategies used is to attack healthcare companies that provide telemedicine solutions, particularly those providing consultation services to patients online. The threat actor impersonates a new patient and gives the healthcare company a decoy file that resembles the their health records. The ransomware group presumes that before the consultation, the physician is going to open the file to look at the patient’s information. Doing so will install malware and give the threat actor access to the device.

One of the major issues for ransomware groups is getting compensated. When ransomware use was just starting, recovery of encrypted files require payment. Organizations that adopted guidelines for data backups could restore their files without making ransom payments. To boost the likelihood of getting payment, ransomware groups engaged in double extortion strategies. Sensitive information is exfiltrated before encrypting files and the attacker issues threats to leak the information when the ransom demand is not paid. Even when there are backups, payment is usually given to stop the exposure of stolen information. Nevertheless, this strategy is not very successful now. According to Coveware’s report, fewer victims are giving ransom payments even if data is compromised.

Using Triple Extortion Tactics

A number of ransomware groups have began utilizing triple extortion tactics to increase pressure on victims to pay. This tactic had been used in a number of attacks on healthcare companies. Triple extortion has different types, for example, getting in touch with patients using the contact details in the stolen files to attempt to extort money from them. The REvil ransomware group, now presumed to be behind the BlackCat ransomware, began contacting the victims’ clients or the press, informing them about the attack. Several groups have likewise performed Distributed Denial of Service (DDoS) attacks on affected entities that won’t pay up. LockBit began demanding payment to give back the stolen information besides getting the decryptor and to avert the leak of data.

A recent report by Brian Krebs of Krebs on Security talks about another new tactic discovered by Alex Holden, founder of the cybersecurity company Hold Security. This tactic is being used by Clop and Venus, two ransomware operations that target healthcare companies.

The Clop ransomware group used a tactic for attacking healthcare companies, which sends malicious files masked as ultrasound photos to doctors and nurses. This gang is one of those that started targeting healthcare companies that provide online consultation services. One successful attack involved a patient with cirrhosis of the liver requesting for a web consultation. The attacker chose cirrhosis of the liver because it would be very likely that a physician would need an ultrasound scan and other medical tests to diagnose the condition and the records can be attached to the email.

Framing Executives for Insider Trading

Holden also described a new method tried by the Venus gang to compel victims to pay the ransom. They are trying to frame officers of public firms by modifying email inboxes to look like the officers were engaging in insider trading. One attack proved successful. The group inserted messages that talked about plans to buy and sell big volumes of the company’s stock depending on non-public data.

Holden cited one of the blackmail messages created by the Venus gang. The message to the CEO states that it imitated its correspondence with a trading insider who gives the financial reports of the firms by which its victim purportedly trades in the stock market. This practice is obviously a criminal offense as per the US federal legislation and violators could be sentenced to about 20 years imprisonment.

Holden mentioned that implanting communications into inboxes is hard however it is likely for a ransomware actor that has access to Outlook .pst files, which an attacker would probably have in case they breached the victims’ system. Holden stated the implanting of email messages may not withstand forensic evaluation, however, it may still be sufficient to result in a scandal and reputation loss, which might be sufficient to force the victim to pay the ransom.