Thought leadership. threat analysis, news and alerts.
Ransomware Attacks on Healthcare Organizations Globally Increase by 45%, Study Shows
A recent report from Check Point showed that since November 2020, ransomware attacks targeting healthcare organizations globally has increased by 45%.
In the report "Attacks targeting healthcare organizations spike globally as COVID-19 cases rise again," Check Point said that the spike in the ransomware attacks targeting healthcare organizations globally more than double the overall increase in cyberattacks across all industry sectors worldwide seen during the same period. According to Check Point, the main ransomware variant used in the ransomware attacks was Ryuk, followed by Sodinokibi.
What Is Ransomware?
Ransomware is a type of malicious software (malware) that blocks victims from assessing their computer systems or files and demands from the victims ransom payment for victims to re-gain access to the computer systems or files. Ransomware attackers also demand a separate ransom payment in exchange for the non-publication of data stolen in the course of the ransomware attack.
Ryuk and Sodinokibi Ransomware
Ryuk ransomware is a cyber threat that has been targeting organizations, specifically hospitals, businesses, and government institutions since 2018. This ransomware was first observed in the wild in August 2018.
Code comparison analysis of Ryuk ransomware and Hermes ransomware showed that both are generally equal, giving credence to the theory that the developer of Ryuk has access to the Hermes source code. Hermes ransomware was responsible for the money heist of a Taiwanese bank in October 2017.
Hermes is called a “pseudo-ransomware” – referring to ransomware that uses a ransomware attack as a cover to distract its main goal: stealing money. In the money heist of a Taiwanese bank in 2017, the Hermes ransomware attack was perfectly timed at the time when money was stolen from the bank.
The group behind Ryuk ransomware demands that the ransom payment should be in the form of the cryptocurrency bitcoin. After tracing bitcoin transactions for the known addresses attributable to Ryuk, researchers from HYAS and Advanced Intelligence reported that the group behind Ryuk earned more than $150,000,000.
“Ryuk receives a significant amount of their ransom payments from a well-known broker that makes payments on behalf of the ransomware victims,” researchers from HYAS and Advanced Intelligence said. “These payments sometimes amount to millions of dollars and typically run in the hundreds of thousands range.”
Sodinokibi, also known as REvil, meanwhile, is a type of ransomware that was first observed in April 2019. Code comparison analysis of Sodinokibi and another ransomware called “GandCrab” showed that the two shared a lot of similarities, indicating the developer of Sodinokibi had access to the GandCrab source code.
Both Ryuk and Sodinokibi encrypt important files in the compromised computer, locking out users from their files. These two demand a ransom to decrypt or unlock these files.
It’s now a known fact that during the course of the ransomware attack, Ryuk and Sodinokibi also steal victims’ files before encrypting them. Stolen data is then used for “double-extortion” attempt, that is, in addition to ransom payment to unlock the locked files, attackers demand from victims to pay another ransomware payment for the stolen files, threatening victims that failure to pay this second ransom payment would lead to the publication of the stolen files.
In November 2020, K12 Inc., now known as Stride, Inc., a company that provides online education, admitted that it was a victim of a ransomware attack. Open-sourced reports showed that Ryuk ransomware hit K12 Inc.
In a statement, K12 Inc. said, “We have already worked with our cyber insurance provider to make a payment to the ransomware attacker, as a proactive and preventive step to ensure that the information obtained by the attacker from our systems will not be released on the Internet or otherwise disclosed.”
Ryuk and Sodinokibi are part of the ransomware families called “Ransomware-as-a-Service (RaaS)”. In RaaS, one group maintains the ransomware code, and another group, known as affiliates, spreads the ransomware.
Cybersecurity Best Practices Against Ransomware Attacks
Both Ryuk and Sodinokibi are commonly spread via very targeted means such as RDP and spear phishing.
RDP, short for Remote Desktop Protocol, is a proprietary protocol developed by Microsoft which provides Windows user to connect to another Windows computer. In the blog post "Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks," Microsoft Defender Security Research Team said that RDP is an attractive target for threat actors as this presents a simple and effective way to gain access to a network, and conduct many follow-on activities such as ransomware attack.
Microsoft Defender Security Research Team said that threat actors often gain access to RDP through brute-force attack – referring to the trial-and-error method of guessing the correct username and password combination. Spear phishing, meanwhile, weaponizes an email against specific and well-researched targets. A spear-phishing email masquerades as coming from a trustworthy source.
Traditional spear-phishing emails attached malicious documents, for instance, a zip file. Modern-day spear-phishing emails come with malicious documents that are hosted on legitimate sites such as Dropbox, OneDrive, or Google Drive.
To protect RDP from brute-force attacks and ultimately ransomware attacks, use strong passwords, multi-factor authentication, virtual private networks (VPNs), and other security protections. Spear phishing prevention, meanwhile, includes phishing simulation tests, and an established process for users to report suspicious emails to the IT security team.
It’s also important to implement the 3-2-1 backup rule and network segmentation in case attackers breach your organization’s network.
The 3-2-1 backup rule means that at least 3 copies of critical data must be kept, with 2 copies in different media and one copy offsite. Network segmentation, meanwhile, refers to the practice of dividing your organization’s network into sub-networks so that in case something happens to one sub-network, the other sub-networks won’t be affected.
Steve E. Driz, I.S.P., ITCP