Healthcare facilities have become an increasingly popular target for ransomware groups in the past year. While an uptick in cyber attacks on United States hospitals might otherwise be attributed to that general trend, the FBI is warning that it has evidence of a coordinated criminal attack on the country’s healthcare system.
The FBI says that a Russian-speaking criminal gang is behind the attacks. It does not appear to be state-backed or to be tied to the 2020 election, but the attackers are focusing on getting ransomware onto healthcare system networks and charging higher-than-usual fees for its removal. Chatter on the dark web indicates that the group is targeting some 400 different facilities across the country.
Cyber attacks paralyze US hospitals
Along with the Department of Homeland Security (DHS) and the Department of Health and Human Services (DHHS), the FBI issued a warning that US healthcare systems were facing an “increased and imminent” risk of cyber attacks. These are believed to largely originate from one threat actor, a group likely based either in or near Russia, and involve the theft of data and locking up of critical systems with ransomware. Dubbed UNC1878, the group is believed to have formed in early 2020 and has attacked over 1,000 targets worldwide since then.
The attackers hit five US hospitals in late October, but are believed to be planning attacks on about 400 in total. The intelligence agencies are basing some of this on the work of Alex Holden, CEO of Hold Security, whose firm has been tracking these threat actors for over a year now. Holden has told reporters that he alerted the FBI about a potential operation after finding chatter linked to the group on the dark web. Hold Security linked the group to attempted cyber attacks on several hospitals and found forums in which they discussed plans to attack hundreds of hospitals in the US healthcare system. Thus far the University of Vermont Health Network has confirmed network symptoms consistent with these cyber attacks, and the St. Lawrence Health Systems of New York and Sky Lakes Medical Center of Oregon have confirmed to CNN that they were targeted.
While cyber attacks against hospitals are not unusual at present, the scope of this particular operation is for a threat group that is not thought to be backed by a nation-state and is only seeking profit. It is not only unusual for a group to target such a large swath of a country’s healthcare system, but also to demand such large ransoms from an industry that often has the desire to pay but also has trouble in coming up with liquid funds to use. The group has been observed demanding at least $10 million per target; the average ransomware demand globally is in the very low triple digits.
The group has been observed using the Trickbot trojan to deliver Ryuk malware to targets. Trickbot targets systems running Windows and has been in the wild since late 2016, and was linked to a September attack on US hospitals. Microsoft has stepped up its efforts against Trickbot since then, working in partnership with the US Department of Defense (DOD) to knock many of its control servers offline. The Ryuk ransomware has also been around for some time, designed for and used mostly against large enterprise-scale organizations. It made news in 2019 for spreading widely and netting its operators about $61 million in ransoms, but had subsided greatly as of the beginning of the Covid-19 pandemic. Prevailion reports that even if Microsoft and the DOD were able to eliminate Trickbot servers, the group may well continue its cyber attacks as it appears to be pivoting to a new delivery system.
The intelligence agencies urged all facilities in the US healthcare system to take “timely and reasonable precautions” in response to the wave of cyber attacks: primarily ensuring that both software and hardware patches are up to date and ensuring that antivirus/anti-malware scans are being conducted regularly.
US healthcare system under seige in 2020
US government agencies and public facilities have seen an unprecedented spike in cyber attacks in 2020, particularly ransomware campaigns that exploit third-party service providers to hit multiple locations at once. The healthcare system was already experiencing significant ransomware activity prior to this recent Ryuk campaign, recording 59 attacks that disrupted patient care at about 510 facilities nationwide. The biggest individual attack occurred in September, when national medical provider United Health Services (UHS) had 250 facilities hit. The impact was bad enough that patient care providers had to temporarily return to pen and paper note-taking in treatment, in addition to backlogging lab work.
Though hospitals are not necessarily the most well-funded targets of ransomware, the healthcare system is lucrative for other reasons as Chloé Messdaghi, VP of Strategy at Point3 Security, explains: “The reason these attackers are going after hospitals is because they’re easy money and easy to attack. Hospitals need to have these records and, even prior to COVID-19, hospitals are known to have issues with allocating budget for security staff and resources in order to help prevent and respond to data breaches like these. Even if a hospital pays the ransom, that doesn’t necessarily mean that the attacker just hands over the key and then deletes it all on their end. Health profiles are worth a lot more than social security numbers, and attackers can turn that data around and sell it for a lot of money. So for attackers, getting health profiles is the cream of the crop – they’re gold … You can’t just be waiting for something to happen. You have to be proactive. If hospitals don’t have the staff to stay on top of this stuff, they just need to hire. They have the money – there’s really no excuse. It’s pandemic times – hospitals are absolutely targets and, at the end of the day, any funds put toward security is an investment by the hospital in its staff and its patients.”
In terms of specific defense measures against Ryuk, Jeff Horne, CSO of Ordr, suggests that a particular point of focus should be organization-wide anti-phishing training: “Ryuk can be difficult to detect and contain as the initial infection usually happens via spam/phishing and can propagate and infect IoT/IoMT (internet of medical things) devices, as we’ve seen this year with radiology machines. Once attackers are on an infected host, they can easily pull passwords out of memory and then laterally move throughout the network, infecting devices through compromised accounts and vulnerabilities.”
Matt Walmsley, EMEA Director at Vectra, also pointed out that the nature of ransomware attacks has changed such that new defensive tools and techniques are called for: “The business of ransomware has changed. Criminals have moved to lower volume, but highly targeted ransomware attacks. These are multifaceted, complex, and unfold over extended periods of time and increasingly use the legitimate tools within our networks and cloud services. This makes traditional signature based defences increasingly ineffective so we’re now detecting attackers by their behavior rather than looking for the specific tools or ransomware used … The performance and analytical power of AI is needed to detect these subtle indicators of ransomware behaviors and the misuse of privileged credentials.”