How Human-Operated Ransomware Attacks Are Targeting Healthcare Organizations

With experience in sysadmin functions, malicious bad actors are taking advantage of common misconfigurations in network security, probing defenses, and adapting to what is revealed. Lately it has been observed that human adversaries are sometimes spending months stealing and adding credentials and leaving indiscernible footprints that enable  lateral movement in compromised networks. They are not hit-and-run operations breaking in, encrypting data, and making immediate ransom demands.

Small, everyday detection alerts that seem easy to dismiss, may be signs of a compromised network being probed by someone already hacked into the network learning what the threshold is for scrutiny. These long-game invasions aren’t always concerned about stealth. By utilizing built-in local administrator accounts, common account names, or even service accounts of known vendors, these bad actors may be moving around freely without attracting attention.

It may be the devastating ransomware news story that gets attention, but what you’re not hearing is how things got to that point. While exploring network vulnerabilities, these human adversaries may utilize single machines for other purposes, as recently observed: sending a short burst of SPAM email or having an internal machine complete a network scan for other vulnerabilities in a matter of seconds. In other words, many of these ransomware attacks are patiently waiting for the best opportunity to exploit a found vulnerability.

Healthcare organizations (HCOs) are the second most popular target behind financial institutions because of the payoff amounts attackers can get when successful. And HCOs spend far fewer dollars on cybersecurity than the financial sector.

The #1 defense against ransomware is having an excellent data backup and recovery system. The reason ransomware works is that it denies access to or alters essential enterprise or patient data. If you have a copy of that data which is not locked or altered and a procedure to quickly restore it, you have your way out of the data prison. Sure, an adversary could also threaten to release captured data to prove a compromised system, but this is different from a ransomware attack that stops patient care or hospital operations. It doesn’t mean you should not also be taking other steps to reduce data risk, but you can’t get locked out of your house for long if you keep a spare copy of the keys somewhere safe.

The human factor is highly impactful in preventing cybersecurity failures. Kaspersky conducted a survey among healthcare workers and found that 32% had never received cybersecurity training from their workplace. Additionally 10% of managers weren’t aware of a cybersecurity policy.

Some of the most vulnerable attack vectors right now are through VPN and remote access connections. HCOs have far less experience in managing remote access than other systems. Flaws in the newer crop of remote access products leave even more vulnerabilities and therefore opportunities ripe for exploitation. This is another reason why completing initial risk assessments and conducting re-assessments with product updates is essential. You can’t easily guard against things of which you are not even aware. Even established remote access like Citrix have been shown to include vulnerabilities. Our advice for combating ransomware threats starts with robust backup and recovery systems. Train all staff on cybersecurity policies and conduct awareness training  to minimize threats even beyond ransomware. And keep risk assessments up-to-date for 100% technology vendors, especially as those products change. Awareness is essential to know where and when to act. For a deep dive into the strategy of human-operated ransomware attacks, we recommend reading Microsoft’s report on prevention.