lolloj - Fotolia

Microsoft warns hospitals of impending ransomware attacks

Microsoft warned "dozens" of hospitals with vulnerable gateway and VPN software that an infamous ransomware group known as REvil is scanning the internet for such flaws.

Microsoft this week sent targeted warnings to dozens of hospitals that it believes are vulnerable to impending ransomware attacks.

On April 1, Microsoft's Threat Protection Intelligence Team published the blog titled, 'Microsoft works with healthcare organizations to protect from popular ransomware during COVID-19 crisis: Here's what to do,' which states that Microsoft threat intelligence sources "identified several dozens of hospitals with vulnerable gateway and VPN appliances in their infrastructure."

Microsoft said it sent "a first-of-its-kind targeted notification" to the hospitals about their vulnerable gateway and VPN deployments, warning them that ransomware threat actors are currently scanning the internet for such vulnerabilities.

While there's been an increase in social engineering attacks amid the COVID-19 pandemic, Microsoft said it's seen evidence of more sophisticated and dangerous threat activity, which could put hospitals and healthcare organizations in jeopardy at a critical time.

"We're seeing not just a rise in COVID-themed typical phishing/malware lure emails, but an uptick in the attempted compromise of legitimate services, such as healthcare and technology providers. Attackers are masquerading as these trusted entities using their services as a relay to get to users. Some of them are more sophisticated operations impersonating an individual/organization in need for several days," a Microsoft spokesperson said. "We have seen attackers with many motivations utilize these human-operated ransomware style vulnerabilities, including to target hospitals."

According to the Microsoft Threat Protection Intelligence blog titled 'Human-operated ransomware attacks: A preventable disaster,' these type of attacks "are known to take advantage of network configuration weaknesses and vulnerable services to deploy devastating ransomware payloads."

"In these hands-on keyboard attacks, which are different from auto-spreading ransomware like WannaCry or NotPetya, adversaries employ credential theft and lateral movement methods traditionally associated with targeted attacks like those from nation-state actors. They exhibit extensive knowledge of systems administration and common network security misconfigurations, perform thorough reconnaissance and adapt to what they discover in a compromised network," the blog post said.

One adversary known to exploit gateway and VPN vulnerabilities is the ransomware group, REvil, also known as Sodinokibi. Microsoft has been tracking the group as part of a broader monitoring of human-operated ransomware attacks.

"As organizations have shifted to remote work in light of the pandemic, we're seeing from signals in Microsoft Threat Protection Services (Microsoft Defender ATPOffice 365 ATP and Azure ATP) that the attackers behind the REvil ransomware are actively scanning the internet for vulnerable systems," Microsoft Threat Protection Team wrote in the blog. "Our intel on ransomware campaigns shows an overlap between the malware infrastructure that REvil was observed using last year and the infrastructure used on more recent VPN attacks. This indicates an ongoing trend among attackers to repurpose old tactics, techniques and procedures for new attacks that take advantage of the current crisis."

According to the blog, once REvil is successful with an exploitation, "attackers steal credentials, elevate their privileges and move laterally across compromised networks to ensure persistence before installing ransomware or other malware payloads."

Emsisoft threat analyst Brett Callow provided SearchSecurity with information that showed a healthcare organization was recently attacked by REvil; several ransomware groups recently pledged not to attack healthcare and medical facilities during the pandemic, though REvil was not one of those groups.

REvil employs human-operated attack methods to target organizations that are most vulnerable to disruption, ones that haven't had the time or resources to install the latest patches or update firewalls, according to the Microsoft.

Threat actors can remain undetected in networks, sometimes for months on end.

"We recommend to hospitals that they prioritize patching any open VPN and gateway vulnerabilities, as attackers are actively taking advantage of them as people work and access information remotely," a Microsoft spokesperson said.

Since the release of the blog on April 1, Microsoft said it has received replies from healthcare organizations asking for additional information and resources.

Next Steps

Acer hit in apparent attack from REvil ransomware group

Dig Deeper on Threats and vulnerabilities