The Evolving Ransomware Trends in the Healthcare SectorHHS HC3 Report Spotlights How Threat Actors' TTPs Are Changing
Financially motivated and state-sponsored threat actors are continuing to evolve their tactics, techniques and procedures for successful attacks, federal authorities warn in a new report spotlighting the latest ransomware trends in the healthcare and public health sector.
The report issued Thursday by the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center, or HC3, analyzes ransomware activities observed by HC3 in the healthcare and public health sector during the first quarter of 2022 and highlights not only the most active ransomware groups targeting the healthcare sector, but how their attacks have been evolving.
HC3 says that the top five ransomware-as-a-service groups affecting the healthcare and public health sector in the first quarter of 2022 were LockBit, Conti, SunCrypt, BlackCat/Alphv, and Hive.
Some of the developments related to the groups include the following:
- LockBit released a statement that it will not take a side in Russia’s invasion of Ukraine.
- Conti stated that it will support Russia amid the invasion of Ukraine. Karakurt was identified as the data extortion arm of Conti.
- SunCrypt gained new capabilities in 2022, despite the ransomware appearing as though it is still under development.
- BlackCat/Alphv/Noberus ransomware was linked to BlackMatter and DarkSide, and BlackCat speeded up its encryption process.
- Nokoyawa ransomware appeared to possibly be related to Hive and Karma/Nemty.
FIN7's ransomware variants used in connection with its operations include Maze, Ryuk and BlackCat/Alphv.
In April 2022, ransomware attacks conducted by FIN12 could reportedly be achieved in less than two days, compared to the previous time frame of five days when the group was first identified, HC3 says. It says FIN12 has specifically targeted the healthcare industry, leveraging Ryuk, Beacon, SystemBC and Metasploit to carry out some of the most prolific intrusions seen throughout 2021.
Leveraging Legitimate Tools
HC3 says that some ransomware groups are increasingly leveraging legitimate tools during ransomware intrusions. These include:
- Remote access tools such as AnyDesk, Windows Safe Mode, Atera, ScreenConnect and ManageEngine;
- Encryption tools, including Microsoft's BitLocker, Jetico's BestCrypt and DiskCryptor;
- File transfer tools, such as FileZilla FTP;
- Microsoft Sysinternals utilities, including PsExec, Procdump and Dumpert;
- Open-source tools, such as Cobalt Strike, Mimikatz, AdFind, Process Hacker and MegaSync.
Initial Access Brokers
In terms of initial access brokers, HC3 says that during the first quarter of 2022, it observed that the number of threat actors selling network access to healthcare and public health entities worldwide on a variety of cybercriminal forums was consistent with the numbers for all of 2021.
Among HC3's observations:
- More than half of forum advertisements were for general VPN/RDP access to healthcare and public health entities.
- About 25% of the threat activity involved selling alleged access to compromised Citrix VPN appliances.
- The COVID-19 pandemic drove organizations to accelerate the adoption of remote access and cloud applications, but often without implementing basic security features.
- Initial access brokers enable RaaS groups to focus time and energy on developing payloads and coordinating operations with affiliates.
'Living Off the Land' Attacks
Some threat attackers are also carrying out "living off the land," or LOTL, attacks against healthcare sector entities, leveraging what is already available in the target environment instead of deploying custom tools and malware, HC3 says.
Such attacks leverage native Windows tools, such as CMD.exe, PowerShell, Task Scheduler, MSHTA and Sysinternals, as well as common remote management tools, such as TeamViewer, Kaseya and LogMeIn, the report says.
The attraction of LOTL attacks to bad actors? "Malicious actions are less likely to flag antivirus or alert endpoint detection tools, [and] are more likely to blend in with normal administrative tasks," HC3 says.
HC3 provides a long list of mitigation actions for healthcare and public health sector organizations to consider taking to defend against the latest ransomware trends. These actions include:
- Using the host firewall to restrict file sharing communications, such as SMB;
- Deploying network intrusion detection and prevention systems that use network signatures;
- Using multifactor authentication for user and privileged accounts;
- Configuring access controls and firewalls to limit access to domain controllers and systems used to create and manage accounts;
- Operating intrusion detection, analysis and response systems on a separate network from the production environment to lessen the chances that an adversary can see and interfere with critical response functions;
- Employing network segmentation for sensitive domains;
- Protecting domain controllers by ensuring proper security configuration for critical servers;
- Preventing domain administrator accounts from being used for day-to-day operations that may expose them to potential adversaries on unprivileged systems;
- Denying remote use of local admin credentials to log into systems and prohibiting domain user accounts to be in the local administrators group of multiple systems.
Some experts say that the HHS report hones in on trends similar to those seen in other sectors beyond healthcare and public health.
"Unfortunately, ransomware is likely to continue to be as much of a problem in the healthcare/public health sector as it is in other sectors," says Brett Callow, threat analyst at security firm Emsisoft.
"That said, it’s possible there may be a decrease in attacks on hospitals, as some gangs seem to be focusing more on smaller, less significant organizations, likely in an effort to avoid becoming the number-one target for law enforcement agencies," he says.
Most of the trends spotlighted by HHS are broadly relevant both to healthcare and to other industries, says Paul Prudhomme, a former U.S. Department of Defense threat analyst who is head of threat intelligence advisory at security firm Rapid7.
"What most distinguishes health care from other ransomware targets is its sheer popularity as a target," Prudhomme says.
Many of the tools and techniques that ransomware attackers use against healthcare organizations are also applicable to other industries, he adds. "One key distinguishing factor for healthcare, however, is the frequent exploitation of vulnerabilities in medical devices as an initial access point and for persistence and lateral movement in many different types of attacks, including ransomware attacks."
Meanwhile, the expansion of ICU capacity, the creation of specialized COVID-19 wards, and other infrastructural changes in response to the pandemic may have left some healthcare organizations more vulnerable due to the relatively fast implementation of these changes and the introduction of more frequently vulnerable medical devices, Prudhomme says.
"The proliferation of new COVID-19 data sets, such as testing and vaccination records, has expanded the data attack surface for attackers to exploit, including ransomware operators that add a second layer of extortion to their attacks by threatening to expose compromised files if victims refuse to pay ransoms."
Attorney Jason G. Weiss of the law firm Faegre Drinker Biddle & Reath LLP says that particular industries - including healthcare - appear to be among the latest favorite targets with cybercriminals.
"Ransomware, and especially RaaS, is a multi-industry offender. While the healthcare sector is certainly subject to almost nonstop cyberattacks, this trend is equally viable as it relates to federal, state and local government entities as well as school and universities, just to name a few," says Weiss, a retired supervisory FBI agent.
Ransomware gangs and other cyberthreat actors are making billions of tax-free dollars, he says. "With the help of cryptocurrencies and encrypted anonymous wallets, they have a secure, encrypted way to get paid with little risk of getting caught if they show basic cyber hygiene skills in covering their digital tracks. Many of the original ransomware gangs, such as Maze, have literally retired from the business as they have made so much money."
Weiss commented on threat actors using LOTL attacks to target healthcare and public health sector entities, saying such attacks "make it much more difficult for the victim to detect since they are less likely to alert antivirus or endpoint detection tools."
To keep up with all these threats, he says, it is essential for organizations to become much more proactive, rather than reactive. "These threat actors are well educated, well trained, well funded and highly motivated, and these attacks aren’t going to stop anytime soon."