CyberPeace Institute finds at least 39 ransomware operators have targeted healthcare sector

At least 39 ransomware operators have attacked one or more healthcare organizations across 27 countries over the past 18 months, recent data from the CyberPeace Institute revealed. These attacks have occurred in the backdrop of the raging COVID-19 pandemic, in spite of many of these groups’ claims that they would not target healthcare organizations.

The CyberPeace Institute has tracked ransomware attacks against the healthcare sector and those who perpetrate them as part of the Cyber Incident Tracer (CIT) #HEALTH platform. The institute examined darknet publications, correspondence, and interviews of the most prominent ransomware operators. The institute identified 12 groups that have made promises not to attack healthcare organizations while in fact doing exactly that. This discrepancy can partially be explained by the type of organizations they perceive as belonging to healthcare, it said. 

Pharma companies were defined as legitimate targets by most as they allegedly ‘benefit from the current pandemic.’ All 12 of the groups either singled out ‘hospitals’ as being off-limits or used vague terms like ‘medical organizations,’ leaving room for broad interpretation. Nonetheless, at least six of these ransomware operators have also attacked hospitals.

Bernhard Schneider of CyberPeace Institute identified that the underlying issue is and remains the lack of accountability, which has enabled these groups to act with near impunity and from a position of power. 

“This is partially due to the fact that the analysis of such actors has often relied on the information that these groups themselves are willing to show under the guise of their brands,” Schneider wrote in a blog post. “However, these brands are only a vehicle and ransomware merely a tool. Thus, to hold their culprits accountable requires looking beyond just their ransomware brands into the cyber (criminal) ecosystem,” he added.

Data released by the CyberPeace Institute showed that in the case of three ransomware operators, such attacks can happen by mistake, in which case a decryption key would supposedly be provided free of charge. As noble as they may try to present this gesture, intent matters little for the victims. Once the ransomware is deployed, the damage is done. 

An example of this would be the DoppelPaymer’s attack on the University Hospital Düsseldorf on the night of Sept. 11, 2020. The attack made global headlines as tragically a 78-year old woman passed away after she had to be diverted to a hospital 32 km away. Despite the attackers providing a decryption key shortly after being informed that they had attacked the ‘wrong’ target, data could still not be retrieved from the hospital IT systems for the following weeks.

Cyberattacks against healthcare organizations are not always the result of careless targeting ‘mistakes.’ For some, it is by design. In October 2021, a threat actor believed to be associated with Groove ransomware, specifically requested network access to hospitals in the U.S. and EU. This seems to be more than just empty promises. While the sample size of victims on Groove’s data leak site remains relatively small, it is nonetheless indicative. With 37.5 percent of victim organizations on the data leak site constituting patient care facilities, Groove has the highest percentage of healthcare targets vis-a-vis other sectors. 

For others, this targeting is less explicit but the numbers speak volumes. 

According to cybersecurity firm Mandiant, 20 percent of targets of the prolific FIN12 hacker constitute healthcare organizations. FIN12 has been linked to the Ryuk ransomware, which was used in the 2020 attack against the United Healthcare Services (UHS). The attack disrupted services across all of the healthcare network’s 400 locations. Authorities had previously issued alerts for the healthcare sector, explicitly warning about Ryuk. Similar alerts have also been issued for Conti, Hive, and Pysa, with their respective percentage of healthcare targeting, constituting 4 percent, 12 percent, and 9 percent.

There is a third category of ransomware operators, namely those that have remained silent on the matter. The majority of the ransomware operators referenced on the CyberPeace Institute’s CIT platform fall into this category. For 15 of 21 of these groups, it correlates with their lower online presence such as less elaborate data leak sites and communications, and lower victim count. 

However, the remaining six exhibit similar targeting tendencies as the likes of Hive, with an average healthcare targeting of 12 percent. At best, this is the result of indiscriminate spray and pray tactics, such as phishing campaigns or Remote Desktop Protocol (RDP) brute force attacks. At worst, it is an indicator of malicious intent by the ransomware operators and/or their affiliates towards a crucial sector in a period of crisis.

In September, the Ponemon Institute conducted research that showed that ransomware attacks on healthcare organizations may have life-or-death consequences. Nearly one in four healthcare providers reported an increase in mortality rate due to ransomware. The onset of COVID-19 introduced new risk factors to HDOs, including remote work, new systems to support it, staffing challenges, and elevated patient care requirements. 

The research focuses on helping CIOs, CISOs, and healthcare risk executives understand the extent to which HDOs are being targeted and ascertain the impact of those attacks.

In wake of the escalating Apache Log4j series of vulnerabilities, the HHS 405(d) Program released a Situation, Background, Assessment, Recommendation (SBAR) that concerns Log4j vulnerability found in products that have Java-based software installed. The software created by The Apache Software Foundation is widely used in applications, inclusive of Linux and Windows operating systems. 

The 405(d) Program and Task Group is a collaborative effort between industry and the federal government, which aims to raise awareness, provide vetted cybersecurity practices, and move organizations towards consistency in mitigating the current most pertinent cybersecurity threats to healthcare sector. 

The Log4j exploitation allows the execution of any code which could result in compromise of the server, download of malicious binaries, or propagation of further attacks such as ransomware or a zero-day attack. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.