Getty Images

Threat Actors Targeting Hospitals with Double Extortion Ransomware

Check Point finds hospitals and other providers are being targeted with double extortion, where hackers first extract large troves of data before deploying the ransomware to pressure victims.

An increasing number of hacking groups have begun following a disturbing trend first made public by the notorious Maze threat actors: targeting hospitals and other healthcare entities with double extortion attempts, according to new research from Check Point.

Maze hackers emerged in November 2019 targeting a wide range of sectors with a new type of extortion. After Allied Universal refused to pay a $2.3 million ransom demand, the Maze group threatened to use the data, email, and domain name certificates extracted from the security staffing company’s systems for a spam campaign impersonating Allied.

To further pressure the company, Maze published a sample of the stolen data online, which included medical data and other sensitive information. They later posted another claimed 10 percent of the stolen data on a Russian hacking forum, demanding a ransom 50 percent higher than the initial demand.

Since that time, Maze hackers have continued targeting across all sectors – including companies in the healthcare sector, and other cybercriminals have joined the double extortion trend. Sodinokibi or REvil are another large hacking group routinely publishing data from their targets. The last known victim was the National Eating Disorders Association.

The first quarter of 2020 has seen a lot of this new tactic, according to the new Check point research. The combination attack is now moving beyond corporate networks to mobile devices, some of which are taking advantage of the Coronavirus and marketing a fake tracking tool for Android devices.

Instead, the app encrypts user content, and the threat actors threaten to publicly leak the victims’ social media materials.

“Double extortion is a clear and growing ransomware attack trend,” Check Point Manager of Threat Intelligence, Lotem Finkelsteen, said in a statement. “In this tactic, threat actors corner their victims even further by dripping sensitive information into the darkest places in the web to substantiate their ransom demands.”

“We’re especially worried about hospitals having to face this threat. With their focus on coronavirus patients, addressing a double extortion ransomware attack would be very difficult,” he added. “We issue caution to hospitals and large organizations, urging them to back up their data and educate their staff.”

Currently, the research shows hospitals are prime targets for ransomware given the current Coronavirus pandemic. A recent report showed small- to medium-sized providers are being targeted given the increased likelihood that they’ll pay.

Protecting the Healthcare Environment

In light of these concerns, Check Point released five key recommendations to help providers prevent falling victim. As repeatedly noted throughout the last few years, offline, air-gapped backups are crucial. Backups should be automated if possible to avoid relying on employees to remember to routinely execute the process on their own.

Employee education is also crucial, given the most common infection method remains spam and phishing emails. Research has shown phishing education can drastically reduce the healthcare’s cybersecurity risk. It’s also important to encourage employees to report any suspicious activity to the security team.

Access management is critical to minimizing the potential impact of ransomware, which ensures users only have access to data and resources necessary to execute their job function.

“Taking this step significantly reduces the possibility of a ransomware attack moving laterally throughout your network,” researchers wrote. “Addressing a ransomware attack on one user system may be a hassle, but the implications of a network-wide attack are dramatically greater.”

The last two recommendations are more complex, but will harden the outer security layer within the healthcare environment. Signature-based protections must remain up to date, such as anti-virus and other signature-based protections.

On its own, the method is not sufficient for detection and prevention of sophisticated attacks designed to evade traditional security tools but it’s a crucial part of a comprehensive security posture.

“Up-to-date antivirus protections can safeguard your organization against known malware that has been seen before and has an existing and recognized signature,” researchers wrote. “In addition to traditional, signature-based protections like antivirus and IPS, organizations need to incorporate additional layers to prevent against new, unknown malware that has no known signature.”

“Two key components to consider are threat extraction (file sanitization) and threat emulation (advanced sandboxing),” they added. “Each element provides distinct protection, that when used together, offer a comprehensive solution for protection against unknown malware at the network level and directly on endpoint devices.”

Next Steps

Dig Deeper on Cybersecurity strategies