Getty Images/iStockphoto

41 Providers Reported Ransomware Attacks in First Half of 2020

While the rate of successful ransomware attacks remained flat during Q1 and Q2 of 2020, Emsisoft predicts a likely uptick due to the season and as the workforce returns to the office.

At least 41 hospitals and healthcare providers organizations reported being impacted by successful ransomware attacks during the first half of 2020, according to recent Emsisoft research. However, the rate of attacks is expected to increase due to the season and as employees return to the office. 

The end of 2019 saw some of the highest frequency of both ransomware attacks and successful incidents, with attacks on healthcare doubling from the numbers seen in 2018. 

Multiple providers reported being infected with ransomware on a frequent basis, especially during the last quarter of 2019. In fact, Q4 2019 saw a staggering 350 percent increase in ransomware attacks on healthcare providers. 

In May, Emsisoft threat analyst Brett Callow told HealthITSecurity.com that these numbers have remained consistent throughout 2020. The only decline has been seen in reported number of successful attacks, meaning providers should not take the decline in reports as a lack of ongoing attempts. 

Indeed, researchers predicted that COVID-19 would “set the scene for an explosion of ransomware incidents,” due to hurried deployments of remote sites and platforms. Callow earlier noted that as hackers typically scan for potential corporate domains before initiating a hack. And as many employees were working from home, multiple automated threats may have skipped those devices. 

An earlier Emsisoft report detailed the predicted spike in ransomware attacks and reasons for the decline in numbers, as remote workers returned to the office with their “potentially compromised devices.” 

“If the malware determines the system to be an appropriate target, it establishes a connection (sometimes referred to as a call home) with the attacker’s command and control (C&C) server, which is used to download ransomware and maintain communication between threat actors and the compromised system,” researchers explained. 

“On the other hand, if the system is deemed to be an unsuitable target, the call home is not triggered and the ransomware is not deployed,” they added. 

Particularly in healthcare, the rise in double extortion attempts may also be contributing to the decline in reports. Hackers will typically lie in wait, move laterally, and employ obfuscation techniques to avoid detection. As a result, some providers may currently be compromised but the ransomware has not yet been deployed. 

Current Emsisoft data highlights those trends, with 26 providers reporting successful ransomware attacks in January and February before the declaration of the COVID-19 national emergency. Meanwhile, the total number of ransomware reports was just 15 for the rest of Q1 and Q2 2020. 

Across all sectors, at least 128 federal and state entities, healthcare providers, and educational sites were impacted by ransomware during the first half of 2020. And much like in healthcare, the last four months saw the lowest rate of successful attacks. 

“Given that healthcare resources were already stressed due to the COVID-19 pandemic, these incidents were especially concerning,” researchers wrote. “Between January and April 2020, the number of successful attacks on public sector entities decreased month-over-month as the COVID-19 crisis worsened.” 

“We are, however, seeing a reversal in that trend with the number of incidents now starting to increase,” they added. “This may be due to the lifting of restrictions and employees returning to the workplace or simply a normal season spike.” 

In light of the predicted spike in ransomware attacks, Emsisoft provided recommendations for how organizations can prepare. Notably, administrators should perform a device security check-up on all employee devices to ensure there have been no policy violations like missing scheduled scans, unapproved software installations, and unusual login patterns. 

Network segmentation should also be employed for all endpoints that were used remotely during the crisis. By creating a subnetwork for those specific devices, organizations can prevent those devices that may have malware installed from proliferating across the network. 

Further, administrators should consider reimaging the devices of employees who worked remotely for a significant amount of time to reduce the risk of a malware. All employees should also be provided updated cybersecurity awareness training to avoid violations of security policies, reduce malware infections, and achieve compliance.

Next Steps

Dig Deeper on Cybersecurity strategies