39 Ransomware Groups Targeted Healthcare in the Past 18 Months

December 17, 2021 - At least 39 ransomware groups have attacked the healthcare sector across 27 countries in the past 18 months, data from the CyberPeace Institute’s Cyber Incident Tracer revealed. Despite explicitly saying that they would not target healthcare, 12 groups singled out the sector.

Some healthcare organizations may simply be collateral damage, an accompanying blog post explained. Some ransomware operators used vague terms like “medical organizations” when describing which entities were off limits. Others saw pharmaceutical companies as fair game. Half of the 12 ransomware operators targeted hospitals specifically, despite saying that they would not target healthcare.

“According to three ransomware operators, such attacks can happen by mistake, in which case a decryption key would supposedly be provided ‘free of charge,’” the blog post explained.

“As noble as they may try to present this gesture, intent matters little for the victim(s). Once the ransomware is deployed, the damage is done.”

Other groups target healthcare by choice. The FIN12 affiliate group has a reputation for going after healthcare organizations. Threat intelligence firm Mandiant discovered that nearly 20 percent of the group’s attacks were targeted at healthcare entities, and over 70 percent were aimed at US-based entities.

Sometimes, healthcare organizations may be targeted out of indifference. Usually, this means that the healthcare organizations fell victim to “spray and pray” tactics, where ransomware operators will execute phishing campaigns or Remote Desktop Protocol (RDP) brute force attacks with the hopes of getting some organizations to fall for the attack.

“Regardless of whether the targeting of healthcare organizations is by mistake, design, or indifference, ransomware operators are acting with impunity and are de facto defining what organizations constitute legitimate targets and what is off limits,” the blog post continued.

“However, their simplistic distinctions ignore the complexities and interconnectedness of the healthcare sector, in which attacking pharmaceuticals during a pandemic can have an equally devastating human impact as attacking hospitals.”

Hive, Pysa, Conti, LockBit, Groove, and REvil/Sodinokibi were among the top ransomware operators in 2021 in terms of number of attacks. Cyberattacks can do more than expose data or take systems offline. In some cases, healthcare organizations are forced to divert patients to other hospitals or cancel appointments.

As the cyber threat ecosystem continues to evolve, ransomware groups will continue to find new and innovative ways to attack. However, the one constant has been that almost all ransomware groups are strictly financially motivated.

Threat actors will go after the organizations that they perceive to be the most vulnerable or most likely to pay a ransom. Health data is also extremely valuable on the dark web, making the sector an even more lucrative target.

Despite ransomware operators being largely financially motivated, US Department of Homeland Security Secretary Alejandro Mayorkas told USA Today in October that “killware” would be the next major cybersecurity threat to watch out for.

Mayorkas pointed to a February 2021 attack on a Florida water treatment facility in which threat actors attempted to raise the level of lye in the public water supply to dangerous levels.

Although killware sounds like an extremely malicious and dangerous threat, it is unlikely that killware will become a daily threat to healthcare organizations because it would bring a lot of unwanted attention to ransomware operators, Brian Wrozek, CISO at Optiv Security, previously told HealthITSecurity.

“They will continue to target using same techniques,” Wrozek suggested. “I don't see them really adapting their techniques or what they're trying to attack as much as trying to raise the anxiety level of the victims in order to convince them to pay and pay more.”

Phishing, ransomware, preying on legacy systems, and other tried-and-true tactics will continue to be used regularly.

“The underlying issue here is and remains the lack of accountability, which has enabled these groups to act with near impunity and from a position of power,” the CyberPeace Institute blog post argued.

“This is partially due to the fact that the analysis of such actors has often relied on the information that these groups themselves are willing to show under the guise of their brands. However, these brands are only a vehicle and ransomware merely a tool. Thus, to hold their culprits accountable requires looking beyond just their ransomware brands into the cyber (criminal) ecosystem.”