Healthcare Information Security

Cybersecurity News

Healthcare Top Target in Gatak Ransomware Attacks

Recent research shows that healthcare is typically a main target in Gatak ransomware attacks, which lures victims through phony websites for pirated software product licensing keys.

By Elizabeth Snell

The healthcare industry is one of the most common victims of the Gatak ransomware attacks, according to research from Symantec.

Gatak ransomware attacks common in healthcare industry

The Gatak Trojan will lead victims to a website that offers key generators for pirated software, and is the majority of these attacks - 62 percent - occur on enterprise computers, Symantec found. Furthermore, 40 percent of the the top 20 most affected organizations were in healthcare.

Researchers explained that while it may be that the cyber criminals are using Gatak to steal patient data and sell it on the black market, there may be other reasons why healthcare is a top target.

“By using a watering-hole approach, the attackers play a largely passive role, with relatively little control over who is infected,” the researchers wrote. “If this is the case, the healthcare sector may simply be the most susceptible to these kinds of attacks.”

Healthcare also tends to use legacy software systems, which are expensive to upgrade. Additionally, entities could be under resourced and employees “could be more likely to take shortcuts and install pirated software.”

“While organizations in other sectors appear to be infected less frequently, the attackers don’t appear to ignore or remove these infections when they occur,” Symantec explained.

Researchers added that a notable Gatak ransomware feature is steganography, which is a way of hiding data within image files. Specifically, Gatak will try and download a PNG image file from one of several URLs hardcoded into the malware once it has been installed on a computer.

“The image looks like an ordinary photograph, but contains an encrypted message within its pixel data,” Symantec wrote. “The Gatak Trojan is capable of decrypting this message, which contains commands and files for execution.”

Lateral movement is also a common feature in Gatak ransomware attacks. For example, the research showed that there was lateral movement across the victim’s network occurs within two hours of infection in 62 percent of cases. The other 38 percent of incidents saw lateral movement start after the two hour mark.

“The variance indicates that lateral movement isn’t automated and instead carried out manually by the attackers,” researchers noted. “Whether the attackers don’t have the resources to exploit all infections immediately or whether they prioritize some infections over others is unknown.”

The potential for any kind of healthcare ransomware attack should keep covered entities and business associates vigilant and careful in the type of software downloaded onto devices and networks.

As a Solutionary report published earlier this year found, that healthcare ransomware cases are in fact drastically outweighing ransomware detections in other industries. The healthcare sector accounted for 88 percent of all ransomware detection, while education was the second most affected, accounting for 6 percent of detections.

Furthermore, the Security Engineering Research Team (SERT) Quarterly Threat Report for Q2 2016 found that the top forms of attacks for Q2 were web application, malware, and application-specific attacks. Those three types of attacks combined for approximately 62 percent of all attacks.

"Healthcare has been a target for ransomware campaigns because the industry has often paid ransom to retrieve vital customer data quickly,” Solutionary Security Engineering Research Team Director of Research Rob Kraus said. “Furthermore, healthcare organizations use an abundance of systems and devices that are crucial pivot-points for an attacker, and they can even be victims of ransomware themselves."

Dig Deeper:


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks