HC3 Identifies Top 10 Ransomware Threat Actors in Q3 2021 for Healthcare

The HHS Health Sector Cybersecurity Coordination Center (HC3) released an analyst note outlining the top 10 global and US ransomware threat actors in Q3 2021 who are targeting the healthcare sector. Conti, Avaddon, and REvil/Sodinokibi topped the list globally, and Conti, REvil/Sodinokibi, and Hive led the US list.

Researchers noted 68 healthcare ransomware incidents globally in Q3, from July 1 to September 30. Over 60 percent of those ransomware attacks were targeted at US-based healthcare organizations. After the US, France, Brazil, Thailand, Australia, and Italy faced the most healthcare ransomware attacks.

Within the US, California, Florida, Illinois, Michigan, Texas, Arizona, Indiana Maryland, New York, and Georgia were hit hardest, though some states may have experienced more attacks due to population size.

“Ransomware remains a major threat to the health sector worldwide, with many healthcare organizations operating legacy technology with limited security resources,” the analyst note explained.

“Health or medical clinics continue to be the most frequently affected sub-industry by ransomware followed by healthcare industry services and hospitals.”

CL0P, Pysa, Astrol, DoppelPaymer, Hive, LockBit, and Ragnarok rounded out the top ten global healthcare threat actors for Q3.

“The top ten ransomware groups impacting healthcare organizations in the United States alone is somewhat comparable to the global findings, although a few ransomware groups stood out,” researchers observed.

“While the Avaddon RaaS was the second most observed group targeting the health sector globally, this group was only identified impacting one healthcare organization in the United States for Q3 2021. Furthermore, the Hive ransomware group claimed the compromise of four healthcare entities all located in the United States, including hospitals and medical centers.”

In late August, the FBI issued a flash alert warning organizations about the dangers of Hive ransomware. The group was notably responsible for a cyberattack on Memorial Health System that resulted in EHR downtime, emergency room diversions, and appointment cancellations.

Pysa, CL0P, Groove, Ryuk, and Vice Society trailed slightly behind the other ransomware groups as top threats to the US healthcare sector.

Consistent with HC3’s findings from previous quarters, health or medical clinics and healthcare industry service organizations were the most frequently attacked types of sub-industries within the healthcare sector.

At least 20 health or medical clinics experienced ransomware attacks in Q3, and most were committed by Conti ransomware group. Less than five hospitals were impacted in Q3.

“HC3 assesses the Hive ransomware operators are likely to continue to target healthcare organizations specifically in the United States while the Vice Society ransomware group are likely to continue to target the health sector both in the United States and abroad,” HC3 concluded.

“Furthermore, both the Hive and Vice Society ransomware groups surfaced in June 2021, following a trend of ransomware groups rebranding in attempts to evade law enforcement and takedown efforts. HC3 assesses that this trend is likely to continue, especially as ransomware groups attempt to compromise and extort healthcare entities with ransomware.”