Health Care Ransomware Strains Have Hospitals in the Crosshairs

April 23, 2021
| |
5 min read

The language of digital attacks shares a lot with the language of disease: ‘viruses’ ‘infect’ computers, and stopping their spread can be like trying to keep down a contagious disease. The two worlds also come together when threat actors attack using health care ransomware. When every minute could change the fate of a patient, preventing these attacks is especially important. Take a look at how to protect against health care ransomware attacks used against hospitals and other facilities.

What Kind of Health Care Ransomware Do Attackers Use?

Two strains stand out in recent health care ransomware attacks: Ryuk and REvil. Although they are distinct when it comes to details, they also have some common elements. Both are available as so-called ransomware as a service, or RaaS. RaaS is a business model for cyber criminals in which one group develops and maintains the program code. Then, they sell access to the malware to other groups — affiliates — who are the ones responsible for infecting victims.

The people who use both types of ransomware attacks on health care do so to extort money. An old stereotype that bored teenagers run ransomware attacks is far from the truth. In reality, these criminals are ruthless, aggressive and primarily looking for large sums of money. According to research on tracking ransom payments to Bitcoin wallets, the Ryuk gang made more than $150 million between when it first appeared in 2018 and January of this year. The gang behind REvil also did not limit themselves to building the code. They found RaaS more lucrative and conducted attacks on their own.

So, how do these attacks work?

How Health Care Ransomware Gains Initial Access to Victims

In general, the way they gain access is one point of difference between the two most well-known health care ransomware strains. While Ryuk spreads via phishing campaigns, REvil gains access by exploiting vulnerabilities. That said, the people running these attacks will not always stick to the plan and may use whatever works.

Ryuk

The phishing campaigns for Ryuk come disguised as honest business emails, such as customer complaints or hiring decisions. Some go as far as including the recipient’s name or employer name to convince the victim the message is real. The message claims the user needs to click a link to view the details of a document. This link usually includes a blurred preview image. When someone clicks it, the ransomware executes what’s called a dropper, such as TrickBot or BazarLoader. This dropper then starts the infection. Interestingly, TrickBot started as a banking information stealer, but nowadays people more often use it as a dropper.

REvil

REvil can also use phishing campaigns like Ryuk. However, that isn’t the tactic it most often relies on. Instead, its users inject it by exploiting openings in application web servers, breaking in to remote access gateways. They abuse exposed services, such as the Remote Desktop Protocol or conducting a supply chain attack by infecting a software provider.
REvil ransomware also goes by the name of Sodinokibi. It has been linked to GOLD SOUTHFIELD, a financially motivated threat group.

Manipulating the Environment

Once these groups establish a foothold, they quickly map the victim’s network and attempt to obtain admin privileges. Compared to traditional infections, their campaigns are human-operated. This allows them to be more adaptive and get around protection measures. Attackers have a variety of ways to achieve their goals once inside. They can use existing operating system tools, such as WMI and PowerShell, exploit weaknesses in legacy systems or abuse a lack of segmentation in flat networks. In addition, they can take advantage of poorly secured active directory domains or use common security testing tools.

Health Care Ransomware’s Objectives and Impact

Because humans operate these attacks, intrusions happen very fast. Human-led attacks are more focused and effective compared to hands-off ones. Ryuk ransomware infections are known to move from a phishing email to domain-wide ransomware in five hours.

Health care ransomware does not only pose risks for regular IT systems, but it is also a risk for the safety of patients. When nurses no longer have access to patient information they may be unaware of patients’ allergies. They may not be able to access schedules and prescription information for giving medicine. Doctors and anesthesiologists have no information for planned surgeries. Surgery schedule software can no longer plan interventions, and connected medical instruments can malfunction. Remote medical monitoring software may go down.

These gangs don’t just want to prevent access to data. They also cue a ‘blame-and-shame’ game. Apart from locking up the systems, they exfiltrate the data and extort their victims, threatening to publish the patients’ information. Needless to say, such data breaches can have severe financial and regulatory consequences. From a criminal point of view, this blackmailing approach has proven to be even more lucrative. In a ‘traditional’ ransomware scheme criminals have less means to blackmail once the victim has restored their systems. However with a data breach, criminals can come back after a first payment. Things can even take a catastrophic turn if the data gets sold on the black market and different gangs ‘compete’ for a payment.

Unique Challenges in the Health Care Sector

The most important challenge faced by the health care sector is their need for continuous work and being open at all times. Hospitals have to maintain a wide range of legacy IT systems supporting medical devices. Many of these systems run on unsupported operating systems. They rely on older and unpatched app and use insecure protocols for remote administration, which makes them an easy target. In addition there is a wealth of remote users and cloud-based assets. All this results in a non-homogeneous IT environment.

For many in health care, digital defense is also a relatively new domain. They lack a structure to implement cybersecurity across their entire network. Ideally, security should be shifted into the realm of compliance needs to make it part of the workplace culture and embed it in business processes.

The weakest link in the defense against health care ransomware is still the user. Regular training campaigns teach the staff how not to fall victim for phishing campaigns, but will not solve the whole problem.

Defending Against Health Care Ransomware

The ideal model for health care cybersecurity is zero trust, where there is no implicit trust granted to assets or users based solely on their physical or network location. It means you treat the internal network like it’s the public internet, with its compromised machines and attackers. The road to a zero trust model from current operations can be very steep, however. What should health care groups focus on first?

  • Get the basics right with a robust data backup policy, including remote or offline patient data backups.
  • Map your networks and segregate clinical tools from IT environments, as well as from internet-connected devices. This mapping, or asset inventory, should be done automatically at regular intervals.
  • Implement a vulnerability identification and management process and set up pen tests, including the physical aspects. Review exposed services and disable those that are not needed.
  • Include security in the procurement process. Establish relationships with vendors, set clear expectations and work out processes for addressing risks. Ensure that you understand which medical devices are dependent on which software and include those in your asset inventory.
  • Integrate the cyber and physical response teams and develop repeatable and scalable response processes.
  • Learn from others by joining an Information Sharing and Analysis Center, such as H-ISAC. These groups provide helpful and relevant information on vulnerabilities and mitigation strategies. They also boost defenses right away by providing threat information with indicators of compromise, tactics, techniques and procedures of threat actors.
  • At some point, an incident will probably happen. Appoint 24/7 duty officers and develop a response and communication strategy. This strategy is not only for internal use, but also to inform to patients and the general public. Set up a process to have lessons learned after each incident to improve your responses every time.

Health Care Ransomware: Another Virus to Handle

The best way to deal with health care ransomware is to be sure it never gets past your walls at all. That way, health care professionals can focus on stopping the spread of a different kind of virus.

If your organization requires immediate assistance with incident response, please contact IBM Security X-Force’s US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034. Learn more about X-Force’s threat intelligence and incident response services.

Koen Van Impe
Security Analyst

Koen Van Impe is a security analyst who worked at the Belgian national CSIRT and is now an independent security researcher. He has a twitter feed (@cudes...
read more