Ransomware Gangs Adopt New Tactics to Attack Victims and Increase Likelihood of Payment
Ransomware remains one of the most serious threats to the healthcare industry. Attacks can be incredibly costly to resolve, they can cause considerable disruption to business operations, and can put patient safety at risk. Ransomware gangs are constantly changing their tactics, techniques, and procedures to gain initial access to networks, evade security solutions, and make recovery without paying the ransom more difficult, and with more victims refusing to pay the ransom demand, ransomware gangs have started to adopt increasingly aggressive tactics to pressure victims into paying up.
Telemedicine Providers Targeted
A variety of methods are used to gain access to healthcare networks, including remote access technologies such as VPNs and Remote Desktop Protocol (RDP) and exploiting unpatched vulnerabilities, with phishing a leading attack vector. One of the latest phishing tactics to be adopted is to target healthcare providers that offer telemedicine services, especially those offering consultations with patients over the Internet. One new tactic that has proven to be successful is for the threat actor to impersonate a new patient and send the healthcare provider a booby-trapped file that appears to be a copy of their medical records. The ransomware gang assumes that the doctor will open the file to check the patient’s records prior to the appointment and will inadvertently execute malicious code that will provide access to their device.
One of the biggest problems for ransomware gangs is getting paid. When ransomware first started to be extensively used, files were encrypted, and payment needed to be made to recover files. Companies that followed best practices for data backups would be able to recover their files without paying the ransom. To increase the probability of payment being made, ransomware gangs started engaging in double extortion tactics, where sensitive data is exfiltrated prior to file encryption and threats are issued to leak the data if payment is not made. Even if backups exist, payment is often made to prevent the release of the stolen data. However, this tactic is no longer as successful as it once was. Coveware reports that fewer victims are paying the ransom demand, even when data is stolen.
Triple Extortion Tactics Adopted
Some ransomware gangs have started using triple extortion tactics to pile more pressure on victims to pay up. There have been several attacks on healthcare organizations where triple extortion tactics have been used. Triple extortion can take several different forms, such as contacting individual patients using the contact information in the stolen data to try to extort money from them. The REvil ransomware gang, now believed to be the operator of BlackCat ransomware, started calling the clients of victims or the media, tipping them off about the attack. Some gangs have also conducted Distributed Denial of Service (DDoS) attacks on victims that refuse to pay up, with LockBit starting to demand payment to return the stolen data in addition to paying for the decryptor and to prevent the data from being leaked.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Brian Krebs of Krebs on Security, recently reported on another new tactic that was uncovered by Alex Holden, founder of the cybersecurity firm Hold Security. Holden gained access to discussions between members of two ransomware operations: Clop and Venus which are known to target healthcare organizations (See the HC3 alerts about Venus and Clop ransomware).
The Clop ransomware gang has adopted a tactic for attacks on healthcare organizations that involves sending malicious files disguised as ultrasound images to physicians and nurses, and they are one of the gangs that have started targeting healthcare providers that offer online consultations. One message between gang members that Holden was able to access indicates the gang has had success with this tactic. It involves a request for an online consultation from a patient with cirrhosis of the liver. They chose cirrhosis of the liver as they determined it would be likely that a doctor would be able to diagnose the condition from an ultrasound scan and other medical test data that they claim is attached to the email.
Framing Executives for Insider Trading
Holden explained that discussions amongst members of the Venus gang suggest they are struggling to get paid, which has led them to try a new method to pressure victims into paying up. They have been attempting to frame executives of public companies by editing email inboxes to make it appear that the executives have been engaging in insider trading. In at least one attack this proved successful. Messages were inserted that discussed plans to trade large volumes of the company’s stock based on non-public information.
Holden said one of the messages sent by the Venus gang said, “We imitate correspondence of the [CEO] with a certain insider who shares financial reports of his companies through which your victim allegedly trades in the stock market, which naturally is a criminal offense and — according to US federal laws [includes the possibility of up to] 20 years in prison.”
Holden explained that implanting messages into inboxes is not easy but it is possible for a ransomware actor with access to Outlook .pst files, which an attacker would likely have if they compromised the victims’ network. Holden said the implanting of emails may not stand up to forensic analysis, but it may still be enough to cause a scandal and risks reputation loss, which may be enough to get the victim to pay up.
Defenses Against Ransomware Attacks
The tactics, techniques, and procedures used by ransomware gangs are constantly changing, and with fewer victims paying ransoms, ransomware gangs are increasingly likely to opt for more aggressive tactics. Healthcare organizations should keep up to date on the latest threat intelligence, monitor for attacks using published indicators of compromise (IoCs), and implement the recommended mitigations. To keep options open, it is vital to maintain offline backups and use the recommended 3-2-1 backup strategy – Make three backup copies (1 primary and two copies), store those backups on at least two different media, with one of those copies stored securely offsite. It is also important to prepare for an attack and develop and regularly test an incident response plan, with the tabletop exercises including members of all teams that will be involved in the breach response. Organizations that have a tested incident response plan recover from ransomware attacks more quickly and incur lower costs.
