Infostealing Malware Remains Top Threat to Healthcare

August 04, 2023 - The healthcare sector continued to face a high volume of cyberattacks in the past few months as infostealing malware rose in popularity, BlackBerry stated in its latest Global Threat Intelligence Report.

Produced quarterly, BlackBerry’s report examines cyber threat trends and cyber challenges faced by private and public sector entities. The latest report covers attacks logged between March and May 2023. Throughout that 90-day period, BlackBerry observed threat actors deploying approximately 11.5 attacks per minute, including 1.7 novel malware samples per minute.

The latter figure represented a 13 percent increase from the previous reporting period, “demonstrating that attackers are diversifying their tooling in an attempt to bypass defensive controls, especially those legacy solutions based on signatures and hashes,” BlackBerry stated.

Healthcare and financial services were the top two most targeted sectors during the reporting period. BlackBerry’s last report, released in April, showed similar results, with healthcare, financial services, and food and staples retailing receiving 60 percent of all malware-based attacks.

While the last report highlighted an increase in SEO poisoning in healthcare, the latest iteration focused on the proliferation of info-stealing malware, or infostealers. Infostealers live in infected computers and gather information, allowing attackers to exploit organizations and obtain credentials.

“The most prominent attacks were made using commodity malware, particularly infostealers such as RedLine. Another prevalent threat was Amadey (a bot linked to a botnet of the same name), which can perform reconnaissance on an infected host, steal data, and deliver additional payloads,” the report stated.

“Threat actors also used malware families such as Emotet, IcedID, and SmokeLoader to target the healthcare sector. A commonality in these attacks on healthcare providers is that they employ infostealing malware that can also deliver additional malicious payloads.”

BlackBerry highlighted the factors that contribute to healthcare being so frequently targeted by threat actors. Namely, the value of protected health information (PHI) as well as the high-stakes nature of the industry create a perfect storm for threat actors, who believe they can pressure healthcare providers into paying ransoms.

BlackBerry logged a variety of attacks against healthcare, from a ransomware attack on Spanish hospital Clínic de Barcelona to an attack on Mumbai-based pharmaceutical manufacturer Sun Pharmaceuticals claimed by ALPHV/BlackCat ransomware.

“These varied attacks demonstrate that the healthcare industry is an attractive target for all types of threat actors. Because healthcare organizations typically hold sensitive data and provide critical services, the number of attacks against this industry is likely to rise,” the report suggested.

As threat actors continue to change up their tactics and create unique malware, healthcare institutions must remain on high alert. BlackBerry encouraged organizations to learn about threat actor profiles and common tactics to aid in threat hunting and incident response.

“Ransomware remains an ongoing threat to both financial and healthcare institutions. Based on our telemetry from this and the previous reporting period, these two industries are likely to remain heavily targeted,” the report continued.

In future months, BlackBerry threat researchers predicted that sophisticated phishing campaigns, generative AI, and additional breach disclosures stemming from the MOVEit Transfer vulnerability would be at the forefront of cyber threat developments.