A recent joint CISA, FBI, and HHS cybersecurity alert warned that the healthcare sector was being targeted by threat actors who were deploying ransomware. Attacks are being conducted by several threat actors using a range of different ransomware variants, including Ryuk and Conti.
A new report recently published by Check Point shows that since the alert was issued, cyberattacks on the healthcare sector have continued to increase. From the start of November to the end of December 2020, healthcare industry cyberattacks increased by 45% globally. This growth was more than double the percentage rise in attacks on all industry sectors globally during the same period.
Every week during November and December 2020, an average of 626 cyberattacks on healthcare organizations occurred worldwide each week, compared to an average of 430 attacks a week in October 2020.
The vectors used in the attacks have been quite varied, with Check Point cybersecurity experts identifying increases in ransomware, botnet, remote code execution, and DDoS attacks during November and December; however, ransomware attacks had the highest percentage increase and pose the biggest threat to healthcare organizations.
Conti ransomware remains a serious threat and has been deployed in a number of healthcare ransomware attacks recently, although Ryuk was the most widely used ransomware variant, just ahead of Sodinokibi. The greatest growth in cyberattacks was recorded in Central Europe, which had a 145% spike in attacks, followed by East Asia (137%) and Latin America (112%). There was a 67% rise in attacks in Europe and 37% growth in North America. The country with the greatest increase was Canada, which saw attacks jump by 250%.
Various tactics are used to gain access to healthcare networks. It is common for ransomware attacks to start with phishing emails that deliver Trojans such as Emotet, TrickBot, and Dridex, which deliver ransomware as a secondary payload. Check Point advises security experts to search for these Trojans on the network, along with Cobalt Strike.
The majority of phishing attacks are conducted during business hours, but ransomware is often deployed during public holidays or at the weekend when security teams are less likely to identify attacks in progress. Check Point recommends increasing network monitoring at these times. Flaws in software and operating systems are also exploited to gain access to healthcare networks. It is therefore important to ensure that all software is kept up to date and patches are applied promptly. In healthcare, patches cannot always be applied quickly. Check Point advises using an intrusion prevention system (IPS) with virtual patching capabilities that can prevent the exploitation of vulnerabilities. Anti-ransomware cybersecurity solutions should also be put in place that have auto-remediation capabilities.