Healthcare Industry at Risk from More than 200 Ransomware Families

Healthcare ransomware attacks have increased dramatically in 2016, and so has the number of threats. While healthcare organizations work hard at improving their defenses to prevent ransomware attacks, ransomware authors have also been hard at work developing new variants that are harder to detect, incorporate more features, and wreak more havoc.

The rise of ransomware has been tracked by security researchers from the MalwareHunterTeam. In March, 2016, the researchers started tracking and cataloging new ransomware variants as they are discovered. The team uses ransom notes that have been submitted by victims to identify new forms of ransomware. This month, the team announced that it has catalogued over 200 different families of ransomware.

Tackling the growing ransomware problem is an uphill struggle. While some ransomware authors make coding errors which allow security companies to develop decryptors, those errors are rapidly fixed. New, harder to crack variants are then released. The fast pace of evolution and the sheer number of new threats makes it difficult to keep on top of the problem and disrupt attacks.

Law enforcement agencies from around the world are teaming up with security companies in an effort to disrupt the efforts of ransomware gangs, yet even with increased collaboration it is proving difficult to stop the attacks. Some headway has been made and decryptors are now available for a handful of ransomware variants, which are being provided for free as part of the No More Ransom Project – a joint initiative between Europol, the Dutch National Police, and a host of security firms.

Free decryptors have been developed and published online which have helped more than 2,500 ransomware victims recover their files without having to pay a ransom. To date, more than $1 million in ransoms have been avoided thanks to the project.

Decryptors have been released on the site for some ransomware variants: Wildfire, Chimera, TeslaCrypt, Shade, CoinVault, Rakhni, Polyglot, and Rannoh; however, with more than 200 ransomware families it is just a drop in the ocean. Further, the problem is becoming worse. Kaspersky Lab research shows there have been more than 5.5 times as many ransomware victims between April 2015 and March 2016 as the previous 12 months.

However, for the vast majority of ransomware victims, decryptors are not available. That means a viable backup of data must exist or a ransom must be paid to recover files. As we have already seen on numerous occasions this year, having a backup does not guarantee recovery. Backups can be corrupted and restoration of data may fail.

Some ransomware variants make it even harder to recover data. Backup files are deleted or encrypted, while CTB Locker encrypts the entire disk, not just certain file types. Petya and HDDCryptor overwrite the master boot record.

With security companies unable to deal with the increasing threat, it is up to organizations to prepare for attack and ensure that they have viable backups on air-gapped devices and a ransomware response plan must be developed. Otherwise they are likely to be placed at the mercy of attackers, which means having to dig deep and pay the ransom.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of