Downloaders, Ransomware, Among Top Healthcare Cyberattack Tactics in Q4

January 25, 2023 - Ransomware remained a primary healthcare cyberattack tactic in Q4 2022, BlackBerry noted in its new Global Threat Intelligence Report. BlackBerry's Threat Research and Intelligence team leveraged data collected by its own security solutions between September 1 and November 30, 2022, along with information from public and private intelligence sources.  

Throughout the 90-day period, researchers observed threat actors using a variety of tactics, from downloaders to ransomware, infostealers, and remote access Trojans (RATs). For the healthcare sector in particular, ransomware “still poses the biggest threat,” the report indicated.

“In the past, some RaaS groups like Maze indicated they would not attack hospitals, but such promises cannot be guaranteed,” BlackBerry noted.

“With the diversity of multiple RaaS groups and the proliferation of affiliate models, the group that executes an attack may not be the same group that developed the malware, which makes tracing and attribution a concern.”

The most popular Trojan used against healthcare was Qakbot, which the Cybersecurity and Infrastructure Security Agency (CISA) listed as one of the top 11 malware threats of 2021. HHS also released a threat brief regarding Qakbot in 2020. Qakbot is often delivered via email as malicious attachments, embedded images, or hyperlinks.

“Because Emotet did not operate many campaigns after its recent four-month shutdown and TrickBot seems more focused on improving its Bumblebee malware, we believe that Qakbot continues to be the most active Trojan facilitating healthcare network access for RaaS affiliates and IABs,” the BlackBerry report explained.

Threat hunters also observed active threats from Meterpreter and BloodHound during the 90-day timeframe, as well as an instance where an unknown threat actor deployed the PlugX RAT, commonly used  by nation-state threat actors. This suggests that “both cybercriminals and nation-state actors are interested in attacking the healthcare industry,” the report stated.

“And, while we haven’t seen infostealers like Redline and Raccoon specifically targeting healthcare, we did encounter an instance of GuLoader, a downloader commonly used by cybercriminals to deploy infostealers,” the report continued.

Some of the most active threat actors across all industries included ALPHV/BlackCat, which recently claimed to have attacked NextGen Healthcare, APT32, TA505, APT 29, and Mustang Panda.

BlackBerry predicted that these threats will continue to impact a wide variety of sectors in 2023.

“Across the board, threat actors used an array of methods that include newly identified tools and techniques as well as modifications to existing tools that enable them to better evade detection,” the company noted.

“The growth of targeted attacks in the automotive, healthcare, and financial industries cast a harsh light on the critical need to protect these sectors’ expansive and vulnerable threat surfaces.”

Defenders should keep an eye on the latest threats, as well as societal, geopolitical, and economic trends that may impact cyberattack tactics. As threat actors continue to aggressively target organizations, BlackBerry predicted that hospitals and medical institutions will continue to be affected.

“Defending your organization against malware and cyberattacks requires in-depth knowledge of how threat actors are targeting your industry, the tools that they use, and their possible motivations,” the report stated.

“This detailed knowledge provides contextual, anticipative, and actionable cyberthreat intelligence that can reduce the impact of threats on your organization.”