All through the pandemic, cybercriminals took advantage of new opportunities and have been attacking hospitals, medical clinics, and other companies and organizations on the front line in fighting against COVID.
Ransomware attacks on the healthcare sector went up in 2020, particularly in the fall when a coordinated campaign got a lot of healthcare victims. Ransomware is still a big threat to the healthcare industry and the increased number of attacks have carried on into 2021.
The latest CTIL League report gives additional details on these attacks and a few of the tactics used to target the healthcare industry in 2020. The report discusses the work done by the CTIL Dark team, which keeps track of the darknet and deep web for signs of data breaches and cybercriminal activity that can impact the healthcare sector or general public health.
This is the first report issued that features the discoveries and successes of the CTIL Dark team, and explores the reality of healthcare ransomware attacks including the dark markets – where the buying and selling of healthcare networks access happen.
In 2020, the investigation of the CTIL Dark team confirmed the following primary ransomware gangs targeting the healthcare industry: Maze, Conti, REvil, Netwalker, and Ryuk. These five groups have conducted over 100 ransomware attacks on the healthcare market, two-thirds of which were in Europe and North America. The attacks executed by these groups accounted for 75% of all attacks in 2020.
The surge in ransomware attacks in 2020 was ascribed to the ease at which the healthcare sector could be attacked and the elevated dominance of the market throughout the pandemic, and no healthcare company was attack-proof. Although attacks on large healthcare companies were favored because they have the ability to pay high ransom demands, in the fall, ransomware attacks on small- to medium-sized hospitals and clinics increased.
Ransomware attacks often dominate the news reports because of the big impact of these ransomware attacks on healthcare organizations and their patients. Hospitals are compelled to opt for pen and paper, consultations normally get cancelled, and patient information is commonly leaked on the internet and sold to lots of cybercriminals. What is not well understood is the supply chain that makes these attacks possible.
Throughout the pandemic, the need for backdoor access to healthcare systems increased substantially. The number of criminals giving access also increased. The supply chains used to give credentials for healthcare networks to ransomware groups and other threat actors noticed a significantly lower barrier to conducting cyberattacks on the field.
2020 saw a spike in the number of Initial Access Brokers. These hackers target and breach vulnerable networks and then sell access to the highest bidding ransomware gang and/or affiliates. The CTIL Dark team claims twice the number of Initial Access Brokers in Q2 of 2020 and Q4 of 2020. Experienced hackers that could breach healthcare sites frequently join ransomware-as-a-service operations as affiliates. In 2020, a number of RaaS operations began recruitment drives targeting people who already had access to healthcare systems and could carry out a lot of attacks.
The CTIL Dark team notices that ransomware attacks are turning out to be more extensive, focused, and coordinated, with threat groups usually partnering and sharing resources and data. In 2020, the ransomware activity looked into by the team most often had attacks on perimeter vulnerabilities for example unpatched systems and not strong passwords in remote connectivity solutions, instead of phishing attacks.
The CTIL Dark team additionally discovered a higher number of databases that contain PHI being offered on darknet forums for use in specific attacks on patients, and worker databases for targeting healthcare workers to obtain access to healthcare networks.
Phishing attacks surged in 2020, with opportunistic threat actors leaving their typical campaigns and moving over to COVID-19 themed campaigns that tightly mirrored equipment shortages and knowledge gaps. Scams were carried out in reply to the lack in COVID-19 tests and PPE, accompanied by phony offers of antibody blood. When hydroxyquinoline was promoted as a game-changer for COVID-19 treatment, darknet suppliers stopped offering cocaine and offered doses of the drug. Right now, as the vaccine rollout began, scammers have moved to presenting bogus vaccines.
CTIL has forecasted that attacks aimed towards the healthcare field will likely go higher in 2021 as opposed to diminish, so it is important for healthcare establishments to stay on high alert and take advantage of data from cybersecurity providers, law enforcement, health-ISACs, and companies like CTIL league and enforce policies, guidelines, and protections to fight these threats.