• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Search
Search
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Security
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Security for Chromebook
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella and Cisco Secure Access Packages
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
      • Cisco Umbrella for Government Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Your SSE journey with Cisco
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
      • Umbrella and Duo Layered Protection
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
        • – FTC Safeguards Rule Compliance 2023
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
      • Cybersecurity Webinars
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is DNS Security
      • What is a Secure Web Gateway
      • What is a Cloud Access Security Broker (CASB)
      • What is Security Service Edge (SSE)
      • What is Secure Access Service Edge (SASE)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Free Trial Quick Start Guide
      • Free Trial Help and Tips
  • Trends & Threats
    • Market Trends
      • Generative AI Cybersecurity Risks and Rewards
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Clearing search keywords
Threats

Healthcare industry under threat of trojan and ransomware attacks

Author avatar of Austin McBrideAustin McBride
November 10, 2020 • 4 minute read
View blog >

On October 28, 2020, a joint advisory was issued from the United States Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) about an imminent threat of cyberattack on US hospitals and healthcare providers. The agencies claimed to have “credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers.”

In the past few weeks, Cisco Talos threat researchers have observed a series of recent ransomware attacks on hospital networks using the Trickbot banking trojan as a dropper to deploy Ryuk ransomware as a payload. Once deployed, Ryuk encrypts data on infected systems and holds it for ransom in exchange for a payment to a cryptocurrency wallet. On October 30, Cisco Talos confirmed that they have several active incident response engagements involving healthcare organizations, with 20% of incident response engagements in the last 90 days involving the healthcare sector. Talos has observed attacker activity using Trickbot and Ryuk to target U.S. hospitals and healthcare providers, as well as others being targeted with the red-teaming tool Cobalt Strike. On October 28 and 29, the concerns raised in the joint advisory were supported by reports of six hospitals in the US being compromised with Ryuk in the span of 24 hours.

Ransomware traffic increased 7.8x in the healthcare sector over the past week

Overall ransomware traffic increased 7.8x in the healthcare sector over the past week (source: Cisco Umbrella Global Network)

A typical ransomware infection of this type uses phishing emails or other methods to infect their victims. The emails usually contain a malicious link that drops a malware downloader, often Trickbot, onto the infected user’s machine, which allows the attacker to establish a foothold on the network and deploy Ryuk ransomware. Though Trickbot and Ryuk are not newcomers to the threat landscape, the increased attacker focus on the healthcare sector during an already stressful global health crisis is alarming. There has been a 71% increase in ransomware attacks on the healthcare sector during October 2020, and Ryuk was behind 75% of these incidents.1 Unfortunately, ransomware attacks on hospitals are not without consequences in the real world – a recent ransomware attack on a hospital in Germany led to the death of a patient who had to be moved to a different hospital as a result of the attack.2 As healthcare becomes more reliant on technology, it’s more important than ever to prevent ransomware attacks and other types of malicious software infections.

Graph: Ryuk ransomware activity increased significantly over the past week

Ryuk ransomware activity increased significantly over the past week (source: Cisco Umbrella Global Network)

We’ve known for some time that the healthcare industry is particularly vulnerable to cyberattacks. With internet-connected medical devices and sensitive patient information stored in electronic health record (EHR) systems, healthcare organizations like hospitals, clinics, medical device manufacturers, and research institutions are hot targets for ransomware attacks. Research indicates that patient records are the most valuable and expensive type of personal information traded on the dark web, which makes them a prime target for attackers. Since 2016, ransomware incidents have cost the U.S. healthcare industry more than $157 million, and that number only continues to grow.3

Once a ransomware attack infiltrates the network, it becomes a race against time. The most effective ransomware prevention strategy will detect and stop threats before they breach the network perimeter. And with 90% of malware using DNS to gain command and control, exfiltrate data, or redirect web traffic, DNS-layer security is the most effective first line of defense against ransomware.4

Cisco Umbrella is a cloud-delivered security service that blocks requests to malicious destinations before a connection is even established. Umbrella also provides protection for all users on your network, on any device, anywhere they choose to work. It’s easy to deploy and easy to manage and gives healthcare organizations visibility into all internet activity across all locations and devices.

With Cisco Umbrella, IT teams can identify any devices that have been infected by ransomware or users that have been targeted by ransomware attacks, reducing remediation time. Umbrella can identify potentially unauthorized access or threats to PHI data, even that which is stored in cloud apps. And with Cisco Umbrella Investigate, security researchers get up-to-the-minute intelligence on emerging ransomware threats, as well as historical content about every domain on the internet, that lets you see the relationships among malware, domains, IPs, and networks to quickly respond to critical incidents.

DNS-layer security provides the first line of defense against ransomware, but healthcare organizations can be compromised in other ways besides internet-based vectors. Security teams need to be on the lookout for lateral movement of ransomware within the network and be prepared to eliminate its propagation and reduce the amount of time an attacker spends within your network. As a best practice, all healthcare organizations should deploy additional security measures against ransomware attacks, like endpoint protection, cloud-delivered firewall (CDFW), secure web gateway (SWG), and cloud access security broker (CASB). Cisco Umbrella provides many of these functions as part of the Secure Internet Gateway (SIG) Essentials package, and Umbrella integrates with Cisco Secure Endpoint (AMP for Endpoints) for endpoint security. To simplify management and speed up incident response, organizations should consider using a security orchestration, automation, and response (SOAR) platform where ransomware incident response playbooks can be customized and automated. All Cisco Umbrella packages include Cisco SecureX, a cloud-native, built-in platform experience that connects the Cisco Secure portfolio to your infrastructure. SecureX is integrated and open for simplicity, unified in one location for visibility, and maximizes operational efficiency with automated workflows.

To learn more about best practices to prevent and address ransomware attacks, download a free copy of our ebook, Ransomware Defense for Dummies. Or learn how Cisco Umbrella can protect your healthcare organization in our ebook Improving the Health of Healthcare Cybersecurity.

1 https://blog.checkpoint.com/2020/10/29/hospitals-targeted-in-rising-wave-of-ryuk-ransomware-attacks/
2 https://www.darkreading.com/threat-intelligence/deadly-ransomware-story-continues-to-unfold/d/d-id/1338957
3 https://www.comparitech.com/blog/information-security/ransomware-attacks-hospitals-data/
4 https://blog.talosintelligence.com/2017/03/dnsmessenger.html

Suggested Blogs

  • Cybersecurity Threat Spotlight: Emotet, RedLine Stealer, and Magnat Backdoor February 3, 2022 5 minute read
  • Using DNS-layer security to detect and prevent ransomware attacks August 12, 2021 6 minute read
  • The cost of ransomware attacks: Why and how you should protect your data August 10, 2021 4 minute read

Share this blog

FacebookTweetLinkedIn
Subscribe to the Cisco Umbrella blog Subscribe

Follow Us

Facebook X LinkedIn Youtube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2025 Cisco Umbrella