Hospital ransomware: Gangs are back to target healthcare

Hospital ransomware: Gangs are back to target healthcare

Healthcare is not in a good place right now.

With some countries and states deciding to go back in to lockdown due to the continued rise of reported COVID-19 infections—and several garnering record-high numbers compared to when almost every country initially went into lockdown—it seems horrible timing that hospital ransomware is back in the news.

Early on in the coronavirus crisis, a promise was made by some ransomware gangs to leave hospitals alone. But cybercriminals behaving like criminals—whether we’re in the middle of a pandemic or not—isn’t something that we should be shocked about.

In the last few months, we’ve seen rising hospital ransomware attacks.

In late September, a chain of hospitals under the Universal Health Services (UHS), one of the largest healthcare providers in the United States, were hit with what appeared to be Ryuk ransomware. According to their official statement, they successfully provided patient care despite not being able to access their IT applications, largely because of back-up processes and offline documentation methods they already had in place. Thankfully, no patient and/or employee data were compromised during the attack.

UHS hospitals and patients were, in a way, lucky. But this isn’t always the case.

Several weeks ago, we reported on Uniklinikum, a German hospital, being hit with a still-unknown strain of ransomware. And because the hospital stopped admitting new patients due to its systems behaving abnormally—a method that many ransomware-hit hospitals have adopted—a woman in need of serious medical attention had to be driven to another hospital 20 miles further. She died. This is considered the first case of death linked to a cyberattack.

“The stereotype of a cybercriminal is that of a bored teenager who is computer literate and socially maladjusted. This is far from the truth and every time there is a crisis we can see that cybercriminals are in reality ruthless and heartless individuals looking to inflict suffering on their victims in whatever way they can, and if a global crisis, such as COVID-19, plays to their advantage they will do so,” Brian Honan, head of BH Consulting, told ISMG in March of this year. “We should not relax any of our defenses but be more aware of criminals looking to leverage the crisis to spread misinformation, set up scams, launch phishing attacks and launch cyberattacks. Contrary to popular belief, there are no common, decent criminals in the online world.”

Last week, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the US Department of Health and Human Services (HSS) released a joint alert on ransomware activity targeting hospitals and other healthcare providers. The malware families they named that actively target such organizations are TrickBot, BazarLoader (aka BazarBackdoor), Ryuk, and Conti.

This alert also highlights the importance of having and maintaining an offline, encrypted backup of data; creating, maintaining, and exercising a threat incident response plan—even a basic one—so staff would know how to respond in the event of a ransomware attack; and knowing and following the Ransomware Response Checklist, which is included in this CISA guide page.

Healthcare organizations might think that it’s only sensible to pay the ransom as lives could be severely impacted by a ransomware attack. However, in many cases, this scenario can be avoided by being prepared, expecting to be hit, and knowing what to do when—not if—it comes.