Getty Images/iStockphoto

Ransomware Success Declines Amid COVID-19, But Resurgence is Likely

While hackers have continued to target providers amid the pandemic, the number of successful attacks is in decline. But healthcare should plan now for the inevitable resurgence.

Successful ransomware attacks on the US healthcare sector are in decline with just 25 providers impacted during the first quarter of 2020, compared to a total of 764 events, or an average of 191 per quarter, in 2019, according to the latest Emsisoft ransomware insights.

Ransomware attacks had reached crisis levels by the end of 2019, with early indications that this year would bear similar results. Instead, with the rise of the pandemic, the pace has leveled to numbers not seen in years.

In fact, just 89 organizations have been impacted by successful ransomware incidents across all sectors in 2020, so far. For healthcare, just 25 providers have faced successful attacks between January and March, with just another two successful attacks in April.

The stark contrast may be due to the fact in 2019, several managed service provider ransomware attacks caused multiple healthcare organizations to be simultaneously compromised through a single incident. Meanwhile, 2020 has seen no such MSP attacks impacting the healthcare sector.

The first quarter of 2020 has seen several successful ransomware attacks, such as Boston Children’s Hospital, Affordacare, two plastic surgeons, and Parkview Medical Center, among others.

But it begs the question: Are hackers truly avoiding targeting the healthcare sector, as promised, or are there underlying factors fueling the shift?

According to the report, the decline can be attributed to a number of factors, including the suspension of non-essential services during the COVID-19 crisis and the increase in remote work.

“While work from home has the potential to introduce security weaknesses, it may, paradoxically, have also created challenges for ransomware groups,” the report authors wrote.

Brett Callow, a threat analyst with Emsisoft, further explained to HealthITSecurity.com that ransomware attacks will typically begin with a TrickBot execution where plugins will automatically assess the system on which its landed to determine whether it’s reached a valuable target.

The threat actor will look for an example that it’s on a corporate domain, and if it is, it will phone home, and the ransomware group will initiate its normal course of action. But if it lands on a device without that corporate signature, the phone call home will not occur.

“As a result, people working from home on personal devices may just appear to the TrickBot to be personal home users and therefore skipped,” Callow explained. “[The decline] could also be due to a combination of factors… like ransomware actors abiding by their promise to not attack providers.”

Callow also stressed that the number of ransomware attacks aren’t down, overall. The number of attacks have remained flat despite the pandemic: it's just the number of successful attacks have declined.

For example, alerts in recent weeks have shown an increase in double extortion attempts, especially among the healthcare sector, where threat actors lie in wait on a victim’s network, days, weeks, or even months, stealing data, doing internal reconnaissance, and moving laterally throughout the network, before deploying the ransomware payload.

As a result, there are almost certainly health provider networks that have been compromised, Callow explained. “It’s just a case of ransomware not having been deployed.”

Further, while successful attacks are in decline, several federal agencies and security researchers have continued to stress that healthcare is a favored and frequent ransomware target.

More importantly, providers should not see the decline in successful attacks as hope the worst is over from these threat actors. Instead, they should use the lull to harden their defenses and look out for indicators of compromise, as hackers could already be lurking on their networks.

Callow reiterated the need for the use of detection tools to spot signs of lateral movement, which will “enable attacks to be neutralized before data is encrypted.

“Organizations should assume that their perimeters will be breached and have a setup that enables them to detect compromise,” Callow said. “The advice is really the same as it’s always been: basic best practices need to be followed.”

The enterprise needs strong password policies. And external access should be disabled where it’s not needed, software needs to be updated and patched with the latest solutions, and remote desktop protocol (RDP) servers need to be locked down and protected with multi-factor authentication.

In fact, “MFA should be used everywhere without exception,” Callow said. “Most ransomware incidents happened because of fairly basic security failings. They’re easily preventable. For example, a law firm recently had its data exfiltrated and among that data was the firm’s passwords for RDP."

“One password was ‘bmw123’: it’s shocking,” he added. “Organizations that hold very sensitive data, including law firms and health providers, need better password practices for data in their possession.”

In response to the rise in human-operated attacks, Microsoft has also provided best practices for healthcare providers working to shore up their defenses. As the average ransom demand has increased to about $111,000, the need for cybersecurity improvements and defenses will prove critical in coming months.

“The decline in successful attacks, and especially attacks on healthcare providers, is obviously a positive, but the relief is likely only temporary,” Emsisoft researchers wrote. “Once organizations resume normal operations, we expect the numbers to return to their previous levels.”

Next Steps

Dig Deeper on Cybersecurity strategies