Researchers Observe Increase in Emerging Ransomware Groups Targeting Healthcare

January 26, 2024 - The healthcare sector was hit hard by data breaches in 2023, with more than 540 organizations reporting breaches to HHS last year. Ransomware remains a top threat to healthcare, as exemplified by the number of high-profile attacks carried out by prolific threat actor groups and lesser-known gangs alike.

In its annual ransomware report, the GuidePoint Research and Intelligence Team (GRIT) used publicly available data to explore these trends and how they vary across the threat landscape, uncovering troubling changes in the threat landscape. GRIT observed 63 distinct ransomware groups compromising thousands of victims throughout 2023. Healthcare was the third-most targeted industry in 2023 according to GRIT, behind manufacturing and technology.

Attacks by prolific ransomware groups such as LockBit, Alphv, and Clop accounted for the vast majority of victims across all analyzed industries. GRIT identified these groups as “established,” meaning that they are groups that have operated for at least nine months and maintain well-defined tactics.

“TTPs and behaviors exhibited by these groups inevitably trickle down to less mature ransomware groups seeking to increase effectiveness and revenue generation,” the report noted. “This hierarchy reflects the importance of law enforcement disruption and security research exposing the operations of these groups, with operational disruption against them likely to generate the greatest impacts on the ransomware economy.”

But despite a well-placed emphasis on established groups, emerging groups have become a unique threat to healthcare specifically, GRIT noted. What’s more, these groups do not appear to be afraid of the consequences of targeting healthcare.

“Relative to their share of the ransomware ecosystem, Developing and Emerging groups disproportionately impacted Healthcare organizations more often than Established groups,” the report explained.

GRIT defined “emerging” groups as newer ransomware groups that are in their first three months of operations. Some of these groups might later be defined as “ephemeral” groups, meaning that they are short-lived, but may splinter into other groups using similar tactics.

For example, Rhysidia ransomware emerged in May 2023 as a relatively unknown group. Despite its immaturity, Rhysidia immediately began using phishing and other tactics to target victims around the world and publish stolen files online. The group was also not shy in its targeting of the healthcare, education, and government sectors.

“Healthcare has historically been considered ‘off limits’ for some ransomware programs as this brings negative press coverage and extra attention from law enforcement agencies,” GRIT noted.

However, the actions of these emerging groups as well as an increase in healthcare targeting by established groups in 2023 suggest that this mindset is shifting.

“Healthcare targets rose in popularity among both Established and Developing groups in 2023. Healthcare victims often hold a large amount of PII data, rendering them a high-value target for more mature ransomware groups capable of exploiting or extorting based on large volumes of data,” GRIT added. “While the Healthcare industry was once considered off-limits and less frequent as targets by Established groups, we have witnessed this norm eroding in 2023.”

With this analysis in mind, GRIT predicted that ransomware groups would continue to aggressively target victims, with the most prolific groups leading the innovation and technique advancements for the lesser-known groups.

“As 2024 unfolds, Defenders and the security community are increasingly aware of and prepared for the threat of ransomware,” the report concluded. “Our future success will depend on our ability to adapt to and match the paces of a committed, resilient, and increasingly professionalized adversary. To this end, industry best practices in threat intelligence, information sharing, and public-private partnerships remain our most viable and effective options to force adversaries to cede ground.”