The threat of ransomware attacks and how to stop them

A recent study by software security firm VMware Carbon Black looked at cyberattacks among their healthcare customers and found an unprecedented figure – almost 240 million attempted attacks in 2020. This demonstrated the dramatic rise in the risk cyber criminals pose to healthcare. 

In October 2020 the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) warned of the increased threat to healthcare providers and hospitals. They cited a particular group, named UNC1878, who were behind financially motivated attacks where they used ransomware to encrypt their target and extort the owner.  

Ransomware attacks can be extremely damaging. Last year Rangely District Hospital in Colorado suffered an attack whereby the proprietary software used to access medical records was infected. The hospital didn’t pay the ransom, and five years of patient records became inaccessible. 

Perpetuators of these types of attacks often act fast, with organisations sometimes experiencing the full lifecycle of an attack in just two days.

In their report, VMware Carbon Black were able to identify the top five ransomware families currently plaguing the healthcare industry:

• Cerber: 58% A type of malware that encrypts files and holds them hostage, demanding a ransom payment in exchange for returning them. 
• Sodinokibi: 16% Ransomware that is highly evasive and takes many measures to prevent its detection by antivirus and other means. 
• VBCrypt: 14% VBCrypt is a malicious program that may perform a number of actions of an attacker's choice on an affected computer. This virus targets Windows programs.  
• Cryxos: 8% Cryxos Trojans display false alerts on compromised or malicious websites. The notifications claim that the user's computer is infected with a virus, is blocked, and some personal details have been stolen.
• VBKrypt: 4% VBKrypt malware may drop files, write to the registry and perform other unauthorised actions on the affected computer system.

What are they stealing?

VMware’s research found “secondary infections,” across the digital healthcare supply chain, which are used to facilitate long-term cyberattack campaigns. This is leading to a surge in extortions and helping to fuel a cybercrime market mostly taking place on the dark web. 

Information that is typically being sold includes personal info and medical records, such as names, patient IDs, home addresses, and health insurance details. In the last year data containing details of patients who have taken a COVID-19 test has also been stolen and sold. 

An example VMware found was doctors’ private information, including home phone number and personnel number, being sold for $500 on the dark net. 

During the speculation last year that Hydroxychlorquine could help treat patients with COVID-19, cybercriminals began selling this on the dark web for about $1. 

How to stop ransomware attacks

Key to preventing these attacks is ensuring staff are informed and taking precautions such as scanning emails for threats, checking firewalls are working, and being mindful of phishing attacks. Staff training on security is essential for this. Additionally the following measures are important: 

• Back up critical data so it can be restored if needed. Best practice is multiple versions of backups with different recovery points and at different locations. 
• Use cloud-based “immutable” buckets. These let customers create buckets of data that cannot be altered in any way, for a certain period of time, including encryption by ransomware. 
• Deploy next-generation Antivirus (AV) software that offers protection for each of the typical stages of a ransomware attack, and can prevent advanced attacks. 
• Use an endpoint protection solution. As VMware Carbon Black’s report states: “Healthcare organisations need the ability to easily provision access to new users while maintaining data privacy, compliance, and security practices.” 

Lastly Darren Guccione, CEO of password manager app Keeper, recommends that organisations don’t pay ransoms, even if their systems have been compromised. "Cybercriminals frequently don't release access after a ransom is paid” he said. “Don't trust them. Instead, take the necessary precautions and internal control measures regarding file backup, recovery, and incident response."