US Ransomware Attacks Doubled in Q3; Healthcare Sector Most Targeted

October 07, 2020 - The frequency of daily ransomware attacks increased 50 percent during the third quarter of 2020 from the first half of the year, with the US healthcare sector the most targeted globally, according to new research from Check Point. Ransomware attacks on the healthcare sector globally have also doubled. 

Check Point researchers analyzed data from its threat intelligence engine ThreatCloud, which pulls data from hundreds of millions of sensors worldwide and supported from AI-based engines and research data. Researchers found the US faced the most attacks in Q3, followed by India, Sri Lanka, Russia, and Turkey. Attacks nearly doubled in the US in the last three months, after a lull in reported events in Q2. 

Mirroring findings from a recent Microsoft report, ransomware attacks have increased in intensity and frequency, while causing greater disruptions to business operations. The effects can be seen in the most recent ransomware attack on Universal Health Services, which impacted all 400 US sites. 

In fact, ransomware claims a new victim every 10 seconds. 

“The current pandemic has forced organizations to make rapid changes to their business structures, often leaving gaps in their IT systems. These gaps have given cybercriminals the opportunity to exploit security flaws and infiltrate an organizations network,” researchers explained. 

READ MORE: Ransomware Reigns, as Cyberattacks Increase in Sophistication, Frequency

“Hackers will encrypt hundreds of thousands of files, incapacitating users and often taking whole networks hostage,” they added. “In some cases, organizations simply prefer to pay the price instead of dealing with encrypted files and recovering their IT systems. This creates a vicious cycle – the more these types of attacks succeed, the more frequently they occur.” 

COVID-19 has driven a new wave of ransomware attacks on hospitals and other healthcare entities, as hackers attempt to force hospitals to pay the ransom demand to quickly restore operations. 

Notably, the US Department of Treasury recently warned organizations that facilitating ransom demands may in fact violate US sanctions. While the alert covered a handful of ransomware operators, researchers predicted the move may signal greater federal actions in the future. 

Further, as noted in a Department of Homeland Security alert, Emotet has returned. Check Point data shows the disruptive trojan malware impacts 5 percent of organizations globally. Emotet threat actors also sell information about their victims to ransomware distributers, making these organizations vulnerable to additional cyberattacks and increasing the effectiveness of the ransomware. 

Ryuk ransomware has also seen a resurgence in Q3, with Check Point observing 20 organizations attacked each week and an increase in Ryuk attacks on the healthcare sector. The notorious variant has pummeled the healthcare sector, primarily distributed networks and larger organizations. It’s believed Ryuk was behind the massive UHS cyberattack. 

READ MORE: 3 Key Entry Points for Leading Ransomware Hacking Groups

“Ryuk can be difficult to detect and contain as the initial infection usually happens via spam/phishing and can propagate and infect IoT/IoMT devices, as we’ve seen with UHS hospital phones and radiology machines,” explained Jeff Horne, CSO, Ordr, at the time. “Once on an infected host, it can pull passwords out of memory and then laterally moves through open shares, infecting documents, and compromised accounts.” 

In light of these attacks, Check Point reminded organizations of the importance of educating the workforce on how to identify and avoid potential ransomware attacks – often considered the most important defense against these attacks as the threat becomes more targeted via social engineering. 

Offline and regularly updated backups are also crucial, as it can aid in ransomware recovery and in the event of corruption or disk hardware malfunction. Patch management needs to improve in healthcare, as ransomware threat actors prey on known vulnerabilities. As DHS recently noted, hackers have successfully compromised entities that failed to update known flaws. 

Entities should also consider implementing endpoint and network security tools to prevent known attack methods. Sandboxing is also an effective prevention tool designed to defend against evasive threats and zero-day malware, as well as other attack types. 

“Advanced technologies such as sandboxing have the capability to analyze new, unknown malware, execute in real time, look for signs that it is malicious code and as a result block it and prevent it from infecting endpoints and spreading to other locations in the organization,” researchers noted. 

Healthcare entities should also review ransomware insights from Microsoft, DHS, NIST, the Office for Civil Rights, and others to ensure policies, procedures, and training methods are up-to-date and effective against preventing these disruptive attacks.