Written by Jen Ayers in collaboration with Rahima Malik and Serena Raymond.
Malicious site trends will often leverage what happens in the news. Industries that have been weakened or are experiencing turmoil make for easy ransomware targets. It’s no surprise that malicious actors have been using the COVID-19 pandemic to both propagate their schemes and to choose their victims.
In October, there was a joint advisory released by CISA, the FBI, and HHS about how coordinated ransomware attacks were targeting US hospitals and healthcare providers. This was after six hospitals were the victim of ransomware attacks in just a 24-hour period.
A January report acknowledged that an increase in ransomware attacks at the end of 2020 that can be directly linked to a surge in healthcare-specific cyber attacks. The last two months of 2020, compared to the two months previous, saw a 45% increase in hospital ransomware attacks.
But this isn’t the first time that hospitals have been the target of ransomware. It’s just now happening at a moment where our health systems are more vulnerable than they ever have been. Healthcare is historically underfunded and understaffed when it comes to IT budgeting.
Here, we’ll examine how hospital ransomware attacks are changing in 2021 and why hospitals are a prime target.
Ransomware is a type of malware or malicious software that encrypts victims' files and threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. Throughout 2020, there were several major ransomware attacks launched against the healthcare industry. These attacks disrupted IT systems at hundreds of hospitals, clinics, and medical facilities across the US.
For a ransomware attack to be successful, a person will be misled into taking an action that will result in the ransomware being installed on their machine. This is generally done in one of three ways:
Hospital ransomware attacks can be incredibly damaging because hospital IT contains extremely sensitive PII data - healthcare records. So the stakes are incredibly high for a hospital that has become the victim of a cyber attack.
Since 2016, ransomware has become a popular attack type for hospitals. The reasons are simple:
Because of the COVID-19 pandemic, hospitals have become an increasingly lucrative target for hackers. Coronavirus has caused many hospitals and healthcare facilities to delay investment in important IT security upgrades in favor of focusing additional funds on equipment and personnel to combat the pandemic. Many hospitals were losing money even prior to the pandemic. The American Hospital Association estimated that between March 1 and June 30 of 2020, US hospital systems had over $202 billion in hospital costs.
Over the course of 2020, IT systems got further and further out-of-date. Industry reports estimate that health systems only budget between 4% and 7% of their IT costs on cybersecurity.
And because the pandemic has made them such easy targets, this creates a scenario where they start to ignore suspicious activity:
Experts say the risks of a successful attack are higher than usual, as hospital cybersecurity staff may be distracted by the number of suspicious-activity alerts they have received in recent weeks, and because of the strain that remote-working arrangements are placing on their infrastructure.
But the reasons this attack type is so successful against hospitals is because when hospital systems go down, patients’ lives are in danger. Because hospitals are critical infrastructure and their resiliency protects lives, hackers perceive them as more willing to pay a ransomware fee. Ransomware attacks have driven many hospitals to canceling appointments that are not urgent, resorting to pen and paper, and diverting existing or incoming patients to other hospitals.
At the start of the pandemic and as recently as January, many known hacker organizations claimed that they will not target hospitals (at least during the pandemic). Nefilim Ransomware even claimed that worldwide pandemic or not, they never target hospitals:
“We work very diligently in choosing our targets. We never target non-profits, hospitals, schools, government organizations.
If we ever encrypted one of those organizations by accident we would provide decryption for free and would delete all data downloaded.
...The pandemic has not changed our stance on our targets since we believe that hospitals are off limits in any situation.”
Bleeping Computers also asked Netwalker Ransomware if they planned to pause attacks on hospitals. They seemed offended by the thought:
“Hospitals and medical facilities? do you think someone has a goal to attack hospitals? we don't have that goal...no one will purposefully hack into the hospital”
But Netwalker also said that any hospitals accidentally attacked would still need to pay for decryption—unlike Nefilim’s stance. Only a few months later in July, Netwalker was tied to a ransomware attack on the University of California San Francisco’s School of Medicine servers. The school paid the hackers $1.14 million.
Could these handful of promises have actually driven other hackers to target the healthcare system? With a (possibly empty) promise that no ransomware attacks would be heading their way, hospitals may have let their guards down in the form of allowing cybersecurity contracts to expire or awareness training to get postponed. This is conjecture, but this mindset from hospital IT would lead to more successful attacks on hospital infrastructure.
And of course, many (if not all) of these hacking groups went back on their word and targeted hospitals anyway.
While CISA acknowledged that "there is an imminent and increased cybercrime threat to U.S. hospitals and healthcare providers" in October of this year, the truth is that hospitals have been facing the threat of ransomware throughout 2020 at a growing rate. In the first half of 2020 alone, there were 41 reported hospital ransomware attacks.
The first possible case of a life being lost as a result of a ransomware attack was reported in September 2020. Cybercriminals scrambled data and disabled computer systems at Düsseldorf University Hospital. Doctors attempted to transfer one patient in need of immediate medical care to another hospital, but the patient died while in transit to another hospital.
A German cybersecurity authority investigated this attack, President of the organization Arne Schönbohm stated that the cybercriminals exploited a known vulnerability in a VPN (developed by Citrix), and warned other organizations to protect themselves from the flaw.
A small hospital in Colorado became a victim in June 2020. Five years of patient records (records existing between 2012 - 2017) became inaccessible as well as records of patients who “received home health services between June 2019 and April 9” 2020. They did not pay the ransom.
Even the largest private hospital operator in Europe was a target in the spring of 2020. Fresenius employs over 300,000 people in 100 countries and is one of the leading providers of care for patients with kidney failure. Fresnius paid the ransom of $1.5 million. The attack itself appeared to be a part of a larger Snake ransomware campaign targeting healthcare. The attack gave the victims up to 48 hours to pay the ransom.
Whether hospitals pay the ransom or not, a ransomware attack has a significantly negative impact on the healthcare industry’s regular operations.
Throughout 2020, ransomware attacks in the US cost hospitals an estimated $21 billion. The average ransomware demand was $169,446 and hackers have received a confirmed $2.1 million in ransom payments—though that total is likely much higher. And hospital ransomware attacks go beyond white collar crime; they are a threat-to-life crime, which has already cost the life of at least one individual.
The rise of ransomware as a whole has its roots in the rise of cryptocurrency. Most ransomware attacks demand payment by cryptocurrency because it is highly liquid, trace-resistant digital cash.
The largest ransomware attack in history, WannaCry, asked that the ransom be paid in Bitcoin. Also, the increasing popularity of ransomware-as-a-service enables prospective hackers to buy a pre-built ransomware attack using cryptocurrency. As cryptocurrency usage becomes more mainstream, ransomware attacks, including attacks on healthcare companies will likely rise.
Ransomware is also becoming increasingly sophisticated. Bad actors now use different variants, techniques, and procedures. According to CrowdStrike’s 2021 Global Threat Report, one major change to ransomware technique is using a “secondary threat” that exfiltrates “data prior to the execution of the ransomware, a trend observed across all sectors throughout 2020.”
The increase in sophistication means attacks have become more stealthy with a strong likelihood that they involve data leaks, which is more than the traditional data loss generally associated with ransomware. Cybercriminals are also targeting the healthcare sector with TrickBot, BazarLoader, Ryuk, and Conti malware, which as mentioned previously, leads to not only ransomware attacks but also data theft/loss and an overall disruption of healthcare services.
The intelligence shared in CrowdStrike’s report also showed that while Maze/Egregor ransomware dominated attacks in 2020 (despite Maze previously claiming they would not target healthcare), it was followed closely by a surge campaign in October 2020 of Ryuk/Conti (the report contains additional details on the relationships of these ransomware types).
Because of our unique level of visibility into DNS queries at thousands of global organizations, we were able to identify many of the domains related to the Ryuk campaign conducted by WIZARD SPIDER (the eCrime group that was also behind TrickBot). We have compiled a list of almost 300 domains used by Ryuk and similar variants used in 2020 and they were checked against our domain classification database and investigated and flagged as malware providing rapid protection for our customers.
Implementing DNS protection can save hospitals from making the agonizing decision of either paying the ransom or rebuilding their IT from the ground up. DNSFilter’s threat protection includes a dedicated “malware” category that encompasses ransomware. Deploying this security will protect hospitals from ransomware domain variants known to impact hospitals and also scan domains in real-time to determine if a site is a threat that needs to be blocked.
Our team is dedicated to protecting all businesses from the threat of malware and ransomware, but we take special pride in the services we provide to critical infrastructure such as hospitals and healthcare clinics. We know that ransomware attacks and other cyber security threats are on the rise. DNS protection is the first line of defense in your network security architecture.