Healthcare becomes target as ransomware uses remote services for initial access, affecting cybersecurity

Data released by Kroll revealed that ransomware helped to fuel an uptick against the healthcare sector, as attacks increased this quarter to once again become the top threat, followed closely by email compromise. There was a 90 percent increase in the number of healthcare organizations targeted in comparison to the first quarter of this year, as increasing instances of external remote services being used as an initial access method were identified.

“Common threat incident types impacting the healthcare sector included ransomware (33%), unauthorized access (28%), and email compromise (28%),” according to the Kroll report, titled ‘Q2 2022 Threat Landscape: Ransomware Returns, Healthcare Hit.’ “Of the ransomware cases, it was common to see a double extortion tactic in which actors exfiltrated data prior to network encryption and then threatened to leak the stolen data as leverage during negotiations. Phishing is a common initial access method for incidents impacting the healthcare sector.”

The recent shift to targeting the healthcare industry comes alongside the persistence of ransomware as an incident type and the rise in external remote services being used as an initial access method, giving an indication of where attackers may focus in the coming months. All organizations, especially those in healthcare, would do well to test the resilience of their external remote services and preparedness for ransomware.

After a series of high-profile leaks, Conti ransomware’s actor-controlled site and chat negotiations page went dark on Jun. 23. Kroll data mirrored this decline in Conti activity with associated ransomware cases accounting for only 18 percent in the second quarter compared with 20 percent in the first three months of this year and 35 percent in the fourth quarter of last year. Likewise, Kroll saw a drop in LockBit 2.0 activity during the quarter. 

Variants on the rise included the previously mentioned Black Basta ransomware gang, the report said. “Observed by Kroll as leveraging Qakbot malware for access, Black Basta’s first post on underground forums referenced their willingness to buy access into corporate networks, likely recruiting initial access brokers to support their activities. Other groups that increased their activity during the second quarter included BlackCat, QuantumLocker, and Hive,” it added. 

Supporting Kroll’s findings that the healthcare sector is being targeted by ransomware groups, the U.S. Health Sector Cybersecurity Coordination Center (HC3) issued an analyst note in April indicating that the Hive ransomware group was aggressively targeting the healthcare sector. The Hive ransomware group is known to leverage remote services for access. 

While Kroll continued to see actors exploiting vulnerabilities and phishing schemes to launch ransomware, in the second quarter a ransomware incident was most likely to begin via external remote services, the report said. “Kroll observed 700% increase in external remote services such as remote desktop protocol (RDP) and virtual private networks (VPN) being used for initial access in the quarter. Of ransomware incidents beginning with phishing, Kroll observed an uptick in the use of Qakbot malware as a delivery mechanism, particularly for new ransomware groups like Black Basta,” it added.

The report said that several factors may account for the recent rise in the use of external remote services, including ongoing botnet disruptions, making it harder for ransomware operators to leverage botnets as a method of initial infection. Managed Detection and Response (MDR) tools are also catching more malware and so external remote services are used as a way to avoid detection. Kroll observed several cases in the second quarter, where organizations were compromised due to legacy systems or unpatched vulnerabilities. 

Phishing attacks continued to evolve in the second quarter, as Kroll observed threat actors using old and new malware such as Qakbot and Bumblebee, the Kroll report said. “There was an uptick in the use of Qakbot malware as a delivery mechanism for ransomware, particularly from new ransomware groups like Black Basta. Consequently, Qakbot should be treated as a precursor to a ransomware event. In this quarter, authors of the Qakbot malware added an additional step to the trojan’s infection chain, an HTML attachment that negates the need for a fetch of final payload from a command and control server,” it added.​

As phishing remained the top initial access method across all threat incident types, Kroll observed significant increases in external remote services being compromised and CVEs being exploited for initial access. “The majority of incidents in Q2 2022, beginning with access via remote services or CVE exploitation, led to a ransomware attack. This highlights the popularity of compromising external remote services with ransomware threat actor groups, and supports the fact that both ransomware and external remote services, as initial attack vectors, increased this quarter,” the report added.

In a BlackCat ransomware situation, Kroll’s forensic review identified that the hackers had scanned the victim’s VMware server more than ten days before returning to access the system via the Log4Shell vulnerability. “Once inside the system, actors deployed multiple tools to maintain persistence, including PSTools, ZohoAssist, Total Software Deployment, PDQ Install, and Mimikatz to collect credentials. Once credentials were obtained via Mimikatz, the actors used ScreenConnect across hundreds of endpoints to collect and exfiltrate data,” according to the Kroll report.  

Another event investigated by Kroll began as a singular incident regarding demand from the SunCrypt ransomware gang. The additional forensic analysis identified the earlier presence of AvosLocker encryption and LockBit 2.0 encryption on their network. The report reveals that due to anti-detection methods used by various actors once inside the network, evidence was largely destroyed to determine root access. “Kroll did observe the threat actor using Domain Admin level credentials while inside the network. A threat actor later communicated that the organization’s VPN was vulnerable to an exploit patched in 2018 and that an admin password was of weak security,” it added. 

The Kroll report calls upon healthcare organizations to pay close attention to the security around remote services. Implementing multi-factor authentication on these systems and keeping remote services inaccessible from the internet is advisable. Furthermore, maintaining regular patching, testing, and vulnerability scanning schedule, particularly for security gaps in VPNs and RDP services.

In its bid to bolster cybersecurity at healthcare organizations, the National Institute of Standards and Technology (NIST) updated in July its cybersecurity guidance to safeguard patients’ personal health information for healthcare organizations. With the SP 800-66r2 draft document, the NIST aims to assist healthcare organizations seeking further information on the security safeguards of the HIPAA Security Rule, regardless of the particular structures, methodologies, and approaches used to address its requirements.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.