On October 28, 2020, a joint advisory was issued from the United States Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) about an imminent threat of cyberattack on US hospitals and healthcare providers. The agencies claimed to have “credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers.”
In the past few weeks, Cisco Talos threat researchers have observed a series of recent ransomware attacks on hospital networks using the Trickbot banking trojan as a dropper to deploy Ryuk ransomware as a payload. Once deployed, Ryuk encrypts data on infected systems and holds it for ransom in exchange for a payment to a cryptocurrency wallet. On October 30, Cisco Talos confirmed that they have several active incident response engagements involving healthcare organizations, with 20% of incident response engagements in the last 90 days involving the healthcare sector. Talos has observed attacker activity using Trickbot and Ryuk to target U.S. hospitals and healthcare providers, as well as others being targeted with the red-teaming tool Cobalt Strike. On October 28 and 29, the concerns raised in the joint advisory were supported by reports of six hospitals in the US being compromised with Ryuk in the span of 24 hours.
Overall ransomware traffic increased 7.8x in the healthcare sector over the past week (source: Cisco Umbrella Global Network)
A typical ransomware infection of this type uses phishing emails or other methods to infect their victims. The emails usually contain a malicious link that drops a malware downloader, often Trickbot, onto the infected user’s machine, which allows the attacker to establish a foothold on the network and deploy Ryuk ransomware. Though Trickbot and Ryuk are not newcomers to the threat landscape, the increased attacker focus on the healthcare sector during an already stressful global health crisis is alarming. There has been a 71% increase in ransomware attacks on the healthcare sector during October 2020, and Ryuk was behind 75% of these incidents.1 Unfortunately, ransomware attacks on hospitals are not without consequences in the real world – a recent ransomware attack on a hospital in Germany led to the death of a patient who had to be moved to a different hospital as a result of the attack.2 As healthcare becomes more reliant on technology, it’s more important than ever to prevent ransomware attacks and other types of malicious software infections.
Ryuk ransomware activity increased significantly over the past week (source: Cisco Umbrella Global Network)
We’ve known for some time that the healthcare industry is particularly vulnerable to cyberattacks. With internet-connected medical devices and sensitive patient information stored in electronic health record (EHR) systems, healthcare organizations like hospitals, clinics, medical device manufacturers, and research institutions are hot targets for ransomware attacks. Research indicates that patient records are the most valuable and expensive type of personal information traded on the dark web, which makes them a prime target for attackers. Since 2016, ransomware incidents have cost the U.S. healthcare industry more than $157 million, and that number only continues to grow.3
Once a ransomware attack infiltrates the network, it becomes a race against time. The most effective ransomware prevention strategy will detect and stop threats before they breach the network perimeter. And with 90% of malware using DNS to gain command and control, exfiltrate data, or redirect web traffic, DNS-layer security is the most effective first line of defense against ransomware.4
Cisco Umbrella is a cloud-delivered security service that blocks requests to malicious destinations before a connection is even established. Umbrella also provides protection for all users on your network, on any device, anywhere they choose to work. It’s easy to deploy and easy to manage and gives healthcare organizations visibility into all internet activity across all locations and devices.
With Cisco Umbrella, IT teams can identify any devices that have been infected by ransomware or users that have been targeted by ransomware attacks, reducing remediation time. Umbrella can identify potentially unauthorized access or threats to PHI data, even that which is stored in cloud apps. And with Cisco Umbrella Investigate, security researchers get up-to-the-minute intelligence on emerging ransomware threats, as well as historical content about every domain on the internet, that lets you see the relationships among malware, domains, IPs, and networks to quickly respond to critical incidents.
DNS-layer security provides the first line of defense against ransomware, but healthcare organizations can be compromised in other ways besides internet-based vectors. Security teams need to be on the lookout for lateral movement of ransomware within the network and be prepared to eliminate its propagation and reduce the amount of time an attacker spends within your network. As a best practice, all healthcare organizations should deploy additional security measures against ransomware attacks, like endpoint protection, cloud-delivered firewall (CDFW), secure web gateway (SWG), and cloud access security broker (CASB). Cisco Umbrella provides many of these functions as part of the Secure Internet Gateway (SIG) Essentials package, and Umbrella integrates with Cisco Secure Endpoint (AMP for Endpoints) for endpoint security. To simplify management and speed up incident response, organizations should consider using a security orchestration, automation, and response (SOAR) platform where ransomware incident response playbooks can be customized and automated. All Cisco Umbrella packages include Cisco SecureX, a cloud-native, built-in platform experience that connects the Cisco Secure portfolio to your infrastructure. SecureX is integrated and open for simplicity, unified in one location for visibility, and maximizes operational efficiency with automated workflows.
To learn more about best practices to prevent and address ransomware attacks, download a free copy of our ebook, Ransomware Defense for Dummies. Or learn how Cisco Umbrella can protect your healthcare organization in our ebook Improving the Health of Healthcare Cybersecurity.
1 https://blog.checkpoint.com/2020/10/29/hospitals-targeted-in-rising-wave-of-ryuk-ransomware-attacks/
2 https://www.darkreading.com/threat-intelligence/deadly-ransomware-story-continues-to-unfold/d/d-id/1338957
3 https://www.comparitech.com/blog/information-security/ransomware-attacks-hospitals-data/
4 https://blog.talosintelligence.com/2017/03/dnsmessenger.html
