At a glance.
- Ransomware threatens healthcare and public health sector; patient data at risk.
- Patching and updating to preserve data security.
- A new loader to compete with Emotet.
Ransomware attackers have US healthcare in their crosshairs.
With a global pandemic underway, the last thing we need is a threat to healthcare systems. And indeed, as the CyberWire reported recently, some threat actors have made unofficial statements promising to leave medical data and systems unharmed. But the findings of three US federal agencies paint a different picture. Voice of America reports that the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, and the Department of Health and Human Services released a joint statement predicting that healthcare institutions face an increased threat of “data theft and disruption of healthcare services." Alex Holden, CEO of infosec firm Hold Security, informed government officials that ransomware attackers are prepping campaigns against more than four hundred healthcare institutions with ransoms upward of $10 million. Researchers agree that threat actors target healthcare because disruption of these services can be literally life-threatening, which can yield huge payouts. Analyst with cybersecurity firm Emsisoft Brett Callow found that fifty-nine US healthcare systems, encompassing up to five hundred and ten facilities, were already the victims of ransomware attacks in 2020.
Kelvin Coleman, Executive Director at the National Cyber Security Alliance commented to us in an email that the healthcare sector in effect has its work cut out for it:
“Threats against the US healthcare system continue to be a long running issue, made undoubtedly worse as the COVID-19 pandemic’s spread continues. The latest alert and joint statement released by CISA, FBI and HHS, Ransomware Activity Targeting the Healthcare and Public Health Sector, confirms that the persistent dangers of ransomware throughout our healthcare infrastructure are not to be taken lightly. Recent reports about the first death linked to a ransomware attack in Germany reinforces these dangers. Hospitals and other healthcare facilities are increasingly relying on connected devices, patient records are becoming more digitized and people are depending on telehealth services for medical help during the pandemic. Each of these healthcare components are vulnerable, making the need for increased cybersecurity awareness and education among consumers and healthcare practitioners paramount for safety and prevention. In terms of best practices, effective security policies, training roadmaps for IT teams and the integration of proactive cybersecurity education initiatives into the public health workplace culture are all incredibly important for keeping threats at bay. Addressing the specific threat of ransomware, it’s essential for facilities to regularly create backups of critical systems and files, and to house those offline from the network. Simultaneously, healthcare and public health facilities should also be vigilant about upgrading and updating their legacy hardware and software; ensuring that all connected devices and applications have multi-factor authentication enabled; and that employees know how to identify and avoid malicious email links and attachments from possible phishing scams targeting their workforce.”
One of the prominent companies to warn and report in some detail about this campaign has been FireEye, and specifically the researchers in FireEye's Mandiant unit. Charles Carmakal, SVP and CTO of Mandiant, emailed us some comments on what they've been seeing in the activities of the threat actor they're calling UNC1878:
“Ransomware attacks on our healthcare system may be the most dangerous cyber security threat we’ve ever seen in the United States. UNC1878, an Eastern European criminal threat actor, is deliberately targeting and disrupting U.S. hospitals with ransomware, forcing them to divert patients to other healthcare providers. Patients may experience prolonged wait time to receive critical care. Multiple hospitals have already been significantly impacted by Ryuk ransomware and their networks have been taken offline. As hospital capacity becomes more strained by COVID-19, the danger posed by this actor will only increase.
UNC1878 is one of most brazen, heartless, and disruptive threat actors I’ve observed over my career. We are releasing a significant amount of information about UNC1878 to help organizations defend their networks.”
Mandiant's not alone in expressing concern and revulsion over this threat. Pixel Privacy's Chris Hauk commented, “Once again, the heartless bad actors of the world look to profit from the misery that is COVID-19. As with any attack like this, I can't stress enough the need for user education to inform users as to the risks of opening suspicious emails, and especially the dangers of clicking links or opening attachments in emails. While education doesn't always prevent successful attacks like this, it is a powerful weapon, along with making sure that systems are updated with the latest versions of software and operating systems, helping to guard against ransomware attacks.”
And Comparitech's Paul Bischoff wrote that “Hospitals are a cruel but lucrative target for ransomware hackers. Many hospital computer systems run on outdated equipment that leave various vulnerabilities open for hackers to exploit, and their staff may not be well trained to handle phishing messages. Because hospitals might not be able to operate without their data, potentially putting patients' lives at risk, they are more likely to pay the ransom required to decrypt encrypted data.”
We also received an interesting cautionary note from Coalition's Jeremy Turner, who thinks that it would be a bad thing indeed if underwriters began to perceive healthcare as uniquely or at least distinctively vulnerable to ransomware:
“Hospitals and healthcare entities are often targeted by ransomware, and they make attractive targets because they hold significant PHI and typically have weaker security infrastructure. Threat actors have opportunistically targeted healthcare entities during the COVID-19 pandemic because the drastic changes in their operating procedures have made healthcare organizations even more vulnerable. However, the threat actors behind ransomware attacks are purely motivated by financial gain. In our claims experience, hospitals are targeted less frequently than many other industries, including auto dealerships, despite having significantly more infrastructure and higher internet-facing exposure. Our data shows that within similar sample sizes of 700-800 domains, 79 auto dealerships were compromised as opposed to 56 hospitals. The recent CISA and FBI advisory may, unfortunately, result in more harm than good for healthcare entities as insurers increase the use of sub-limits on extortion or otherwise limit access to coverage.”
You can lead a horse to a patch, but you can’t make him update.
The critical vulnerability SMBGhost, which is present in Windows 10 and Windows Server systems, is so severe it earned the highest rating on the Common Vulnerability Scoring System scale. And yet, WeLiveSecurity reports, over 100,000 machines have neglected to install the patch that Microsoft released back in March of this year. This leaves these systems open to attack by threat actors seeking to take advantage of the Remote Code Execution (RCE) vulnerability, especially dangerous as it allows for malware infiltration without direct interaction. A proof-of-concept for implementing RCE was published over the summer, which the United States’ Cybersecurity and Infrastructure Security Agency (CISA) warned could be employed by hackers looking to take advantage of unpatched machines.
Buer Loader gives Emotet a run for its malware money.
The Emotet family has long been considered a leader in the malware game, but relative rookie Buer Loader is quickly becoming a popular alternative, reports Naked Security. Emotet’s appeal lies in its ability to use zombies or botnets to automate large-scale attacks like mass spam operations or pay-as-you-go malware delivery. Buer Loader, which first appeared on the scene in August 2019, uses a malware-as-a-service business model that allows cybercriminals to purchase a personalized malware loader without going through the effort of creating it themselves. At first Buer was most often used for Trojan attacks on banks, but it soon became a popular option for ransomware groups. In fact, the infamous Ryuk ransomware gang used Buer in an operation in September as a method for delivering malicious software via Google Docs.