The language of digital attacks shares a lot with the language of disease: ‘viruses’ ‘infect’ computers, and stopping their spread can be like trying to keep down a contagious disease. The two worlds also come together when threat actors attack using health care ransomware. When every minute could change the fate of a patient, preventing these attacks is especially important. Take a look at how to protect against health care ransomware attacks used against hospitals and other facilities.

What Kind of Health Care Ransomware Do Attackers Use?

Two strains stand out in recent health care ransomware attacks: Ryuk and REvil. Although they are distinct when it comes to details, they also have some common elements. Both are available as so-called ransomware as a service, or RaaS. RaaS is a business model for cyber criminals in which one group develops and maintains the program code. Then, they sell access to the malware to other groups — affiliates — who are the ones responsible for infecting victims.

The people who use both types of ransomware attacks on health care do so to extort money. An old stereotype that bored teenagers run ransomware attacks is far from the truth. In reality, these criminals are ruthless, aggressive and primarily looking for large sums of money. According to research on tracking ransom payments to Bitcoin wallets, the Ryuk gang made more than $150 million between when it first appeared in 2018 and January of this year. The gang behind REvil also did not limit themselves to building the code. They found RaaS more lucrative and conducted attacks on their own.

So, how do these attacks work?

How Health Care Ransomware Gains Initial Access to Victims

In general, the way they gain access is one point of difference between the two most well-known health care ransomware strains. While Ryuk spreads via phishing campaigns, REvil gains access by exploiting vulnerabilities. That said, the people running these attacks will not always stick to the plan and may use whatever works.


The phishing campaigns for Ryuk come disguised as honest business emails, such as customer complaints or hiring decisions. Some go as far as including the recipient’s name or employer name to convince the victim the message is real. The message claims the user needs to click a link to view the details of a document. This link usually includes a blurred preview image. When someone clicks it, the ransomware executes what’s called a dropper, such as TrickBot or BazarLoader. This dropper then starts the infection. Interestingly, TrickBot started as a banking information stealer, but nowadays people more often use it as a dropper.


REvil can also use phishing campaigns like Ryuk. However, that isn’t the tactic it most often relies on. Instead, its users inject it by exploiting openings in application web servers, breaking in to remote access gateways. They abuse exposed services, such as the Remote Desktop Protocol or conducting a supply chain attack by infecting a software provider.
REvil ransomware also goes by the name of Sodinokibi. It has been linked to GOLD SOUTHFIELD, a financially motivated threat group.

Manipulating the Environment

Once these groups establish a foothold, they quickly map the victim’s network and attempt to obtain admin privileges. Compared to traditional infections, their campaigns are human-operated. This allows them to be more adaptive and get around protection measures. Attackers have a variety of ways to achieve their goals once inside. They can use existing operating system tools, such as WMI and PowerShell, exploit weaknesses in legacy systems or abuse a lack of segmentation in flat networks. In addition, they can take advantage of poorly secured active directory domains or use common security testing tools.

Health Care Ransomware’s Objectives and Impact

Because humans operate these attacks, intrusions happen very fast. Human-led attacks are more focused and effective compared to hands-off ones. Ryuk ransomware infections are known to move from a phishing email to domain-wide ransomware in five hours.

Health care ransomware does not only pose risks for regular IT systems, but it is also a risk for the safety of patients. When nurses no longer have access to patient information they may be unaware of patients’ allergies. They may not be able to access schedules and prescription information for giving medicine. Doctors and anesthesiologists have no information for planned surgeries. Surgery schedule software can no longer plan interventions, and connected medical instruments can malfunction. Remote medical monitoring software may go down.

These gangs don’t just want to prevent access to data. They also cue a ‘blame-and-shame’ game. Apart from locking up the systems, they exfiltrate the data and extort their victims, threatening to publish the patients’ information. Needless to say, such data breaches can have severe financial and regulatory consequences. From a criminal point of view, this blackmailing approach has proven to be even more lucrative. In a ‘traditional’ ransomware scheme criminals have less means to blackmail once the victim has restored their systems. However with a data breach, criminals can come back after a first payment. Things can even take a catastrophic turn if the data gets sold on the black market and different gangs ‘compete’ for a payment.

Unique Challenges in the Health Care Sector

The most important challenge faced by the health care sector is their need for continuous work and being open at all times. Hospitals have to maintain a wide range of legacy IT systems supporting medical devices. Many of these systems run on unsupported operating systems. They rely on older and unpatched app and use insecure protocols for remote administration, which makes them an easy target. In addition there is a wealth of remote users and cloud-based assets. All this results in a non-homogeneous IT environment.

For many in health care, digital defense is also a relatively new domain. They lack a structure to implement cybersecurity across their entire network. Ideally, security should be shifted into the realm of compliance needs to make it part of the workplace culture and embed it in business processes.

The weakest link in the defense against health care ransomware is still the user. Regular training campaigns teach the staff how not to fall victim for phishing campaigns, but will not solve the whole problem.

Defending Against Health Care Ransomware

The ideal model for health care cybersecurity is zero trust, where there is no implicit trust granted to assets or users based solely on their physical or network location. It means you treat the internal network like it’s the public internet, with its compromised machines and attackers. The road to a zero trust model from current operations can be very steep, however. What should health care groups focus on first?

  • Get the basics right with a robust data backup policy, including remote or offline patient data backups.
  • Map your networks and segregate clinical tools from IT environments, as well as from internet-connected devices. This mapping, or asset inventory, should be done automatically at regular intervals.
  • Implement a vulnerability identification and management process and set up pen tests, including the physical aspects. Review exposed services and disable those that are not needed.
  • Include security in the procurement process. Establish relationships with vendors, set clear expectations and work out processes for addressing risks. Ensure that you understand which medical devices are dependent on which software and include those in your asset inventory.
  • Integrate the cyber and physical response teams and develop repeatable and scalable response processes.
  • Learn from others by joining an Information Sharing and Analysis Center, such as H-ISAC. These groups provide helpful and relevant information on vulnerabilities and mitigation strategies. They also boost defenses right away by providing threat information with indicators of compromise, tactics, techniques and procedures of threat actors.
  • At some point, an incident will probably happen. Appoint 24/7 duty officers and develop a response and communication strategy. This strategy is not only for internal use, but also to inform to patients and the general public. Set up a process to have lessons learned after each incident to improve your responses every time.

Health Care Ransomware: Another Virus to Handle

The best way to deal with health care ransomware is to be sure it never gets past your walls at all. That way, health care professionals can focus on stopping the spread of a different kind of virus.

If your organization requires immediate assistance with incident response, please contact IBM Security X-Force’s US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034. Learn more about X-Force’s threat intelligence and incident response services.

More from Software Vulnerabilities

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

MSMQ QueueJumper (RCE Vulnerability): An in-depth technical analysis

13 min read - The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely. This analysis was performed in collaboration with the Randori and X-Force Adversary Services teams, by Valentina Palmiotti, Fabius Watson, and Aaron Portnoy. Research motivations…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today