Healthcare cyberattacks spiked 45% since November, report finds

Dive Brief:

Cyberattacks against healthcare organizations have risen 45% since Nov. 1, 2020, according to a Check Point report. Other industries saw a 22% increase in cyberattacks during the same time period.
In October, the healthcare sector saw 430 weekly cyberattacks, which increased to 626 weekly attacks in November. The cyberattacks included ransomware, botnets, remote code execution and DDoS. Ryuk and REvil — also known as Sodinokibi — ransomware were the most prominent strains in attacks.
In November, North America saw a 67% increase in cyberattacks on healthcare organizations; attacks increased 145% in Central Europe.

Dive Insight:

While most ransomware has a broad sector target, Check Point found Ryuk is tailored toward targets in the healthcare industry. Because of the pressure COVID-19 placed on healthcare organizations, bad actors are finding the most financial success in disrupting operations that have no room for downtime.

Last year, CISA offered security recommendations for healthcare defense, but "there are also known control channels that can be blocked outbound to prevent control by the bad actors," said Drew Daniels, CIO and CISO of Druva.

Bad actors will develop new channels of infection and if an organization detects Ryuk, containment and then recovery become the primary mission. Security is "not infallible either, nothing involving the internet can be. It just wasn't designed that way," said Daniels.

Ryuk was on hiatus before re-emerging in the fall. Infection begins with a trojan, including Trickbot, Emotet, Dridex and Cobalt Strike.

Early generations of Ryuk were "rarely found without also finding Trickbot in the environment," according to research by Deep Instinct. It allowed organizations that detected and dismantled Trickbot to avoid a Ryuk infection. This iteration of Ryuk also relied on human-powered reconnaissance.

Though the ransomware strain evolved, it still relies on spear-phishing and a document housing a visual basic for applications (VBA) macro and still Trickbot. When the ransomware is able to use Powershell to move laterally, targeted organizations balance between blocking or allowing Powershell.

"This harkens back to admins doing anything they can to not impact their user base, even if that means lowering the security posture of the environment," according to Deep Instinct. This is how Ryuk has thrived in the healthcare sector during the pandemic.

Security recommendations for ransomware often come down to hygiene and traditional methods. "I was actually quite shocked by the lack of basic security hygiene" in recent healthcare ransomware attacks, said Daniels. "I would be remiss not to mention the importance of patching, patching, patching."

In addition to routine antivirus updates, IT can limit users on their ability to run certain applications, but it runs the risk of interfering with employees' productivity.

"As much as this may blunt some of the risks, malware can be delivered via macros in a Word document or Excel spreadsheet or similar functionality that's part of everyday working," said Daniels. "It is unlikely this level of functionality would be turned off since it would severely limit users ability to work."

Decades-old systems were designed to permit "openness, connectivity and productivity," said Daniels. If a system was entirely read-only, it would greatly reduce users' workability.