- The number of healthcare ransomware attacks exploded in the third quarter of 2017, far outpacing all other types of cyberattacks against healthcare companies, but then dropped off sharply in the fourth quarter, according to the latest data from security firm Proofpoint.
Still, ransomware far outpaced all other types of cyberattacks against healthcare last year.
“The healthcare industry is under attack. Ransomware is shutting down emergency rooms, fraudulent emails are defrauding patients, and attackers steal confidential medical data regularly,” Ryan Witt, healthcare industry practice leader at Proofpoint, wrote in a blog post.
Proofpoint found that Locky was the top ransomware variant and the most popular strain of malware overall. Locky can lock and encrypt many systems and file types.
“But it’s not the only threat healthcare defense teams have to worry about. We discovered several other malware families targeting healthcare institutions over the course of our study,” observed Witt.
Other malware targeting healthcare included The Trick, a banking trojan that “tricks” payment systems to redirecting to a counterfeit site with a correct URL and a seemingly genuine digital certificate. Also targeting healthcare was Global Impostor, also known as Fake Globe, which mimics an earlier ransomware strain called Globe.
The Pony malware spreads through spam campaigns and hides in PDF or Microsoft Office documents. The spam messages usually mention a money transfer or overdue invoice notice to trick victims into acting right away. Pony disguises its code so that it can remain hidden from many security tools.
Hancitor, also known as Chanitor or Tordal, is a malware downloader that spreads through malicious Microsoft Word macros sent in spam campaigns. Attackers trick victims into enabling macros on their system and running the malicious code.
Although not mentioned in Proofpoint’s report the WannaCry ransomware campaign targeted the global healthcare industry, hitting the UK’s National Health Service hard last year, and this year SamSam ransomware attackers are going after healthcare organizations.
Attackers often use phishing techniques to trick victims into deploying ransomware and other malware on their machines. In fact, nearly one in five emails purporting to be from a healthcare organization was fraudulent, according to Proofpoint’s 2018 Healthcare Threat Report. Around 8 percent of fraudulent emails spoofed the email domain of a healthcare organization.
Proofpoint data is taken from the more than 5 billion email messages, hundreds of millions of social media posts, and more than 150 million malware samples its platform analyzes.
The security firm found that exchanging characters was the most common way to create lookalike domains. Switching “I” and “L,” “O” and “0,” and “U” and “V,” is a popular technique because they can be hard to tell apart depending on how they are capitalized.
More than three out of every four attempts at email fraud used one of these subject lines: “payment,” “request,” “urgent,” or “FYI.”
Proofpoint found many emails that targeted executives in prestigious US pediatric care hospitals.Attackers have been employing frequently advanced techniques, such as credential phishing, whaling attacks, and crypto mining against this segment of the healthcare industry.
Why attackers would target this segment of healthcare in disproportionate numbers is unclear. Perhaps the specialized nature of their work puts the hospitals and their leaders in the public eye, the report speculated.
There was also a high instance of business associates, such as dentists, surgical groups, and orthopedic partners, being impersonated.
Proofpoint warned that ransomware attacks are likely to return in high volume and higher ransoms in the near future.
“Just because attackers switched tactics doesn’t mean they won’t leverage ransomware again in the future. We saw a similar lull in 2016 only to see the technique skyrocket less than a year later,” wrote Witt.
“While the attack techniques against healthcare organizations vary and evolve, one common thread is that they attack people, not just technology. They exploit healthcare workers’ curiosity, time constraints in acute care settings, and their desire to serve. Combatting these attacks requires a new and people-centered approach to security,” Witt concluded.
Proofpoint recommended that healthcare organizations train their employees to spot phishing attacks that target them.
The training should include phishing simulations that use real-world tactics to see who is most at risk and to help employees recognize attacks on email, cloud apps, mobile devices, the web, and social media, the report said.