Getty Images/iStockphoto
COVID-19 Impact on Ransomware, Threats, Healthcare Cybersecurity
Interpol, Coveware, and Fortified Health Security shed light on how the COVID-19 crisis spurred an increase in ransomware and cybercriminal efforts to take advantage of the remote landscape.
COVID-19 has significantly shifted the threat landscape from attacks on individuals and small businesses to critical infrastructure, governments, and major corporations, according to Interpol. Malicious cyberattacks were behind the majority of healthcare IT security incidents, while ransomware demands soared as “big game” variants dominated the threat landscape.
Previously, reports showed ransomware attacks remained consistent with the number of incidents seen during the last half of 2019. However, the actual number of successful attacks declined amid the crisis. But those numbers did not reflect the actual activity ongoing behind the scenes.
According to Interpol, cybercriminals have consistently sought to take advantage of organizations that rapidly deployed remote systems and networks to support the shift into a remote workforce. Hackers have also targeted the increase in security vulnerabilities to steal data, disrupt operations, and generate profits.
From January to April on just one of the agency’s private sector partners, Interpol detected about 907,000 spam messages, 737 malware-related incidents, and 48,000 malicious URLs tied to COVID-19.
Threat actors also increasingly deployed disruptive malware against healthcare organizations and critical infrastructure, given the likelihood of high impact and financial gain. Ransomware, in particular, spiked in April 2020, used by multiple threat groups that had previously been relatively dormant.
In fact, law enforcement investigations showed the majority of attackers “quite accurately estimated” the maximum amount of ransom they could demand from victim organizations.
These findings are supported by Coveware’s Q2 ransomware report, which was fueled by big game attacks and an increase in Ransomware-as-a-Service (RaaS) variants targeting small businesses.
In total, the average ransomware payment for the second quarter of 2020 was $178,254, a 60 percent increase from the first quarter. The rise coincided with the arrival of “big game hunting.” Previously, ransomware attacks were dominated by spray-and-pray attacks, which were more opportunistic in nature.
Further, Coveware found that data exfiltration is growing much more common across all sectors. The method was first made popular by Maze ransomware attackers in November 2019, but other groups like Netwalker and Sodinokibi have quickly followed suit.
In healthcare, the most recent data exfiltration incidents occurred at Magellan Health and the University of California San Francisco’s School of Medicine.
“Data exfiltration resulted in ransom payments from companies even where ransomware recovery from backups was possible,” Coveware researchers explained. “Six and seven-figure demands have become routine among ransomware families targeting large enterprises, but now historically modest RaaS operations are seeking higher ransom demands.”
“For instance, Q2 marked the first series of six-figure ransom payments to the Dharma group, an affiliate ransomware platform that for years has kept pricing in the mid-to-low 5 figures, and lower,” they added.
Also notable, 60 percent of Q1 ransomware attacks were tied to three common variants: Sodinokibi, Maze, and Phobos. But by Q2, just 30 percent of overall ransomware attacks were attributed to these families. Smaller and newer variants accounted for the remaining attacks, including LockBit, Mamba, and Snatch, among others.
Coveware also detected a slight increase in Remote Desktop Protocol (RDP) intrusions and email phishing, while software vulnerabilities and other vectors slightly declined. RDP and phishing attacks increased due to amateur affiliate-based ransomware services, as remote intrusion and phishing attacks that deliver malware require little skill.
“Although the data points to a downturn in the use of software vulnerabilities, exploits of this nature are less likely to leave tangible forensic evidence of their occurrence,” Coveware researchers explained. “
“Organizations are less likely to have the elevated level of logging necessary to capture the minimal footprints that are left behind,” they added. “It is possible that these kinds of attacks are still occurring at the same (or higher) rate and there simply isn’t the same quality/volume of corroborating evidence to report them as such.”
The Interpol report also showed a 22 percent increase in malicious domains; a 36 percent increase in malware and ransomware; a 59 percent increase in phishing, scams, and fraud; and a 14 percent increase in fake news.
These increases were also detected in the healthcare sector. Fortified’s mid-year report found that 60 percent of healthcare breaches from the first half of 2020 were caused by a malicious attack or IT incident, rather than insiders.
The pandemic has also contributed to the email compromise trend, which remains the most common attack vector used by threat actors to gain access to healthcare networks and steal patient information. Fortified explained these attacks are often executed by phishing campaigns, which has remained prevalent throughout the crisis.
In fact, 47 percent of reported healthcare data breaches from the first half of 2020 included email-based attacks, up from 42 percent in 2019.
Meanwhile, providers remain the most compromised segment of the healthcare sector, accounting for nearly 75 percent of reported breaches. Business associates experienced a 46 percent increase in the number of report breaches during that time frame, as well.
So far in 2020, more than 5.6 million patient records have been breached.
“Cybercriminals are developing and boosting their attacks at an alarming pace, exploiting the fear and uncertainty caused by the unstable social and economic situation created by COVID-19.” said Jürgen Stock, INTERPOL Secretary General, in a statement.
“The increased online dependency for people around the world, is also creating new opportunities, with many businesses and individuals not ensuring their cyber defenses are up to date,” he added. “The report’s findings again underline the need for closer public-private sector cooperation if we are to effectively tackle the threat COVID-19 also poses to our cyber health.”
Fortified researchers predict that phishing emails will continue to dominate long after the pandemic, as well as third-party vendor risk. Organizations should also expect continued regulatory uncertainty, as it's still unclear whether the HIPAA changes made during the pandemic will remain.
Healthcare organizations will need to continue to focus on cybersecurity basics, even as they attempt to launch new initiatives. Collaboration with cybersecurity leaders and the need for pen testing will also be crucial to better detect and understand the threat landscape and potential vulnerabilities.