HC3: Ransomware Groups Leveraged Remote Access, Encryption Tools in Q1

May 09, 2022 - The Health Sector Cybersecurity Coordination Center (HC3) observed ransomware groups increasingly turning to legitimate tools such as Cobalt Strike and Mimikatz during ransomware intrusions in the first quarter of 2022.

HC3 saw threat actors favoring file transfer, remote access, and encryption tools to infiltrate target organizations. In addition, experts noted Initial Access Brokers (IABs) consistently selling healthcare entity network access on various cybercriminal forums throughout Q1 at similar rates to 2021.

“IABs enable RaaS groups to focus time and energy on developing payloads and coordinating operations with affiliates,” HC3 stated.

More than half of the forum advertisements were for general VPN and RDP access to healthcare organizations. HC3 noted that the pandemic drove healthcare organizations to increase adoption of cloud and remote access applications without implementing complementary security features, making them easier targets.

The multitude of readily available exploitable tools also led ransomware groups to turn to Living Off the Land (LOTL) attacks in Q1. LOTL attacks allow threat actors to leverage tools that are already available in the target environment rather than developing and deploying custom malware.

In addition to consistent IAB trends, HC3 observed LockBit, Conti, SunCrypt, ALPHV/BlackCat, and Hive ransomware groups continuing to target the healthcare sector. ALPHV/BlackCat is suspected to be linked to DarkSide and BlackMatter, the former of which claimed responsibility for the cyberattack against Colonial Pipeline.

The brief also noted financially motivated groups such as FIN7 and FIN12 shifting to ransomware operations. Nearly 20 percent of threat intelligence firm Mandiant’s observed FIN12 attacks were targeted at healthcare entities, and over 70 percent of attacks were aimed at US-based entities.

To mitigate the various cyber threats circling the healthcare sector, HC3 recommended that organizations implement network intrusion detection and prevention systems that use network signatures as well as multifactor authentication.

In addition, HC3 suggested that organizations configure access controls and firewalls to limit access and protect domain controllers by confirming appropriate security configuration for critical servers.

HC3 provided the following takeaways from Q1 that organizations should take note of in Q2:

• Financially-motivated and state-sponsored threat actors are highly likely to continue to evolve their Tactics, Techniques, and Procedures (TTPs) for successful attacks
• Legitimate tools are likely to continue to be abused/weaponized in ransomware campaigns in an attempt by threat actors to avoid detection
• Living off the Land (LotL) techniques leveraging legitimate tools are difficult but possible to detect
• The behavior-based approach that a modern security information and event management (SIEM) tool provides will be able to detect living-off-the-land techniques that signature-based detection cannot
• Some types of attack techniques cannot be easily mitigated with preventive controls since it is based on the abuse of system features; fortunately, there are detection opportunities for these techniques

Threat actors will likely continue to shift their tactics and targets as the healthcare sector safeguards against common attack methods.