Cybercriminals Ramp Up Attacks on Healthcare, Again

This blog was originally published by Ericom here

Written by James Lui, Ericom

Sometimes, even knowing what’s coming can’t help you stop it. Cybersecurity experts anticipated an increase in cyberattacks on healthcare organizations during 2021. And sure enough, by the end of April, 30 US hospitals and health systems had experienced data breaches, with over 2 million health records exposed in April alone. Just weeks later, on May 20, the FBI issued a flash alert warning about Conti ransomware attacks on healthcare and first responder networks.

Incentives for these attacks are chiefly financial: Ransom demands for healthcare breaches currently average $4.6 million. Cybersecurity insurance rates have spiked due to the increase in attacks, yet the number of organizations opting for coverage is up 80%.

Irish Health Service Executive (HSE) Attack

A week before the FBI warning, on May 14, HSE, the organization that manages Ireland’s national healthcare system, was hit with a major ransomware attack that effectively shut down its entire IT infrastructure. The attack had a powerful impact on the nation’s healthcare system: Many appointments were cancelled, including all outpatient and radiology appointments.

Several hospitals were locked out of their digital systems and were forced to rely on paper records.

The attackers demanded a $20 million ransom. For unknown reasons – pangs of conscience perhaps? – the attackers provided HSE with a free decryptor. That’s not to say that they were abandoning their demands: The ransomware HSE was attacked with used double extortion, meaning that the cybercriminals downloaded HSE data before locking it. The attackers have threatened to release or sell the personal and healthcare data of millions of Irish citizens if the ransom they’re demanding is not paid. To prove that they really had the data, the cyber gang behind the attack, Wizard Spider, published private data for 12 patients, including admission records and laboratory results, to a darknet site.

The head of the HSE said that it will cost tens of millions of Euros to recover from the attack. Weeks after the attack, restoration of critical IT systems was still in early stages, essential services were taking much longer to deliver, and turnaround time for tests and results were long. HSE authorities were urging the public to turn to pharmacies and free-standing injury units, in case of lesser emergencies, rather than burdening HSE emergency services.

Scripps Health Attack

In early May 2021, Scripps Health, one of San Diego, California’s largest healthcare providers, was hit with what has now been revealed to have been a ransomware attack. Many crucial hospital systems including telemetry for electronic monitoring (such as heart monitors) was rendered inaccessible. The organization’s website, patient portal, and electronic records were also taken offline.

In the initial phase some critical-care patients were diverted to other hospitals. Four weeks after the initiation of the attack, Scripps was still working to fully restore all systems. No attacker have taken “credit” for the attack and the ransomware code that was used was not revealed.

Meet the Cyber-Cartel Behind the HSE Attack

The HSE attack used Conti ransomware and is believed to have been orchestrated by Wizard Spider, a St. Petersburg, Russia based cybercrime gang that is part of the world’s first “cyber-cartel.” The cyber-cartel includes four additional Russia-based cybercrime gangs, and it is a dominant player in global ransomware attacks.

Russian authorities seem to turn a blind eye to Wizard Spider – perhaps as a quid pro quo: The malware Wizard Spider uses detects if a system it infects is based on the Russian language or its IP address is in any of the former Soviet states. In either of those cases, the software is programmed to uninstall itself.

In addition to deploying the Conti ransomware, Wizard Spider has been associated with espionage malware, code that allows them to download data or eavesdrop without doing any damage. This has led some to speculate that Wizard Spider also works on behalf of the Russian government, since there’s little motivation for a for-profit cyber gang to engage in espionage.

Wizard Spider has been targeting healthcare organizations for some time, but the attack on HSE is unprecedented in its scale and the severity of the results. It represents a clear escalation in the threat level.

Securing Healthcare Systems

The FBI alert includes a number of recommended mitigations, some relating to procedures for backing up data and recovery plans, others to strengthening identification protocols and other procedural changes.

Among the recommendations is a call to automatically disable hyperlinks in incoming emails. While this could undoubtedly reduce phishing-enabled delivery of ransomware, it also inconveniences users who need the hyperlinks included in legitimate emails. More importantly, it does not address other ransomware delivery methods – drive-by downloads from websites, malvertising, ransomware in social media posts and attachments and much more.

Remote Browser Isolation (RBI) enables users to safely click on any link in an email, website or document, or browse directly to any site, without risk that website-based malware, ransomware or downloaders or even zero day threats will infect devices and networks via user browsers. RBI opens all websites in virtual browsers in isolated containers. Only safe rending information is sent to the user’s regular browser on their endpoint, where they interact with it just as they would with the website. All code in the container that is destroyed after the session. No website content every reaches the user device or the company’s network.

The best way to protect against ransomware is to move to a Zero Trust approach to network security, where all users and all websites are treated as dangerous unless proven safe. Since nothing on the web can ever be proven to be safe, remote browser isolation treats all website content as malicious, and isolates it all away from endpoints and networks.

The recent HSE and Scripps attacks confirm just how willing cyber criminals are to risk lives. It’s time for healthcare organizations to act on the fact that preventing cyberattacks is as crucial for healthcare as preventing disease.

This white paper, “Addressing the Healthcare Cybersecurity Crisis,” digs a little deeper into why healthcare organizations are targets for attacks and what they can do to protect themselves.