Getty Images/iStockphoto

Ransomware Keeps Healthcare in Crosshairs, Triple Extortion Emerges

A Check Point report on ransomware attacks seen in the first half of 2021, shows a 102 percent increase from 2020’s numbers, as hackers begin employing triple extortion to increase profits.

The rate of ransomware attacks seen across the globe so far in 2021 has increased by 102 percent, when compared to the same period in 2020. A new Check Point report also revealed nefarious hackers are increasingly using triple extortion attempts to increase their profits.

Since April 2021, the healthcare and utility sectors have been the most targeted by ransomware threat actors. During that time, researchers observed an average of 1,000 entities impacted by ransomware attacks each week: a 21 percent increase during the first trimester of 2021 and 7 percent rise in April, alone.

Check Point researchers warned the attacks show no signs of slowing down.

The report follows the DarkSide ransomware attack on the Colonial Pipeline, which prompted a federal agency alert and an executive order from the Biden Administration meant to tackle ransomware and supply chain cyberattacks.

DarkSide ransomware actors took credit for the attack. The actors work within a Ransomware-as-a-Service model, where partner cybercriminals use the variant and pay its developers a percentage of the profits.

“DarkSide is known to be part of a trend of ransomware attacks that involve systems rarely seen by the cyber community, like ESXi servers,” researchers explained. “This has led to suspicions that the ICS network was involved.”

“Following other large scale attacks such as the one on the city of Tulsa, and the REvil ransomware that tried to extort Apple, it’s clear that ransomware attacks are a major concern globally,” they added. “Yet, there is a real lack of action by organizations in preparing for incidents or even trying to protect themselves in the first place.”

Concernedly, the healthcare sector is seeing the highest volumes of ransomware attempts, averaging 109 attempts per entity, every week. The utility sector is the second-most targeted, with nearly 50 percent fewer attack attempts: 59 attempts per entity, each week.

In North America, the healthcare sector has suffered the most attacks since the beginning of the year. In fact, Scripps Health has been operating under EHR downtime for the last two weeks, while it recovers from a ransomware attack that impacted half of its hospitals.

Triple Extortion: Hackers Upping the Ante

Taking the success from the success of double extortion in 2020 with a 171 percent increase in ransom payments, hackers are continuing to look for ways to gain higher profits.

Enter triple extortion: hackers steal data from an entity, then threaten to leak the data if the victim doesn’t pay. The twist is that now the data’s owners are also being threatened.

Check Point researchers pointed to an October 2020 cyberattack on Vastaamo, a Finnish psychotherapy clinic. The yearlong hack resulted in a massive data theft. The hackers demanded a ransom payment, not only from the clinic, but the patients, as well.

In February, REvil actors announced they too were upping the ante, adding threats of DDoS attacks for failing to pay ransom demands and calling the victims to pressure them into paying the ransom.

In short, Check Point predicts that these attempts will only increase as hackers continue to seek new avenues for profits.

“We can only assume that creative thinking and a wise analysis of the complex scenario of double extortion ransomware attacks have led to the development of the third extortion technique,” researchers warned.

“Third-party victims, such as company clients, external colleagues and service providers, are heavily influenced, and damaged by data breaches caused by these ransomware attacks, even if their network resources are not targeted directly,” they added.

Entities should increase monitoring over holidays and the weekends, which are primed for attacks. For example, the attacks on Scripps and Universal Health Services both occurred over the weekend, when staffing numbers are typically lower.

Check Point also reminded entities to prioritize patching of critical software, as hackers actively scan for known vulnerabilities to exploit and gain a foothold onto the network. Phishing emails are another entry point, so refreshing employee security awareness can also support ransomware prevention efforts.

Lastly, a reminder that ransomware does not begin with ransomware deployment. As such, administrators need to monitor for signs of TrickBot, Emotet, Dridex, and CobaltStrike infections and remove them with threat hunting tools. There are also anti-ransomware tools available on the market, which can support threat monitoring.

Next Steps

Dig Deeper on Cybersecurity strategies