Surge in Healthcare Ransomware Attacks Reported by FireEye

According to a recent report from security firm FireEye, there has been a surge in healthcare ransomware attacks in August. Massive new Locky ransomware campaigns has been launched and the healthcare industry is being targeted.

According to the report, attacks on healthcare organizations were the most numerous in August. The telecom and transportation industries were the second and third most likely to be attacked.

The healthcare industry is being targeted because cybersecurity defenses are believed to be easier to breach and because healthcare organizations must have access to patient data. If attackers succeed in locking protected health information, healthcare organizations may have little alternative but to pay ransom demands.

As we have already seen this year, a number of healthcare organizations have paid to have their data unlocked. Hollywood Presbyterian Medical Center, for example, had to pay $17,000 to unlock a Locky ransomware infection.

Locky Favored for Healthcare Ransomware Attacks

This month has seen a change in the way healthcare ransomware attacks occur. Previously, Locky ransomware has been installed using JavaScript attachments. Opening the JavaScript downloaders would result in Locky being installed. Now, the ransomware is being installed via DOCM files. The new method of delivery is likely to prove more effective than JavaScript campaigns. Email recipients are more likely to open a Word document that a JavaScript file.

Simply opening the malicious document will not result in Locky being downloaded. The user must first enable macros before their computer will be infected. However, if macros are set to run automatically, the user’s computer will be infected.

Criminals Switch from Dridex to Locky

Criminals are increasingly favoring Locky over other forms of malware. Dridex, the banking malware, was one of the biggest threats last year. This month Dridex activity has all but stopped via this channel. FireEye says that the fall in Dridex indicates cybercriminals are switching to Locky in order to maximize their profits.

FireEye reports that the change in delivery tactics suggests that the cybercriminals behind the attacks are investing more heavily in their campaigns. Three emails from campaigns run on August 9, August 11, and August 15 were analyzed and found to be using different code. The campaign code for each email campaign appears to be a one-off. The spoofed emails are different for each campaign, as are the URLs embedded in the macro code and the keys for the downloaded payload.

Given the surge in healthcare ransomware attacks in August, healthcare organizations have been warned to be on high alert. Privacy and security officers should ensure that all healthcare employees are made aware of the increase in attacks and are warned about opening email attachments from unknown senders.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of