Ransomware Activity Targeting the Healthcare Sector Provided by ASPR

An update on ransomware activity targeting the healthcare and public health sectors has been released by the HHS’ Office of the Assistant Secretary for Preparedness and Response (ASPR) saying, “At this time, we consider the threat to be credible, ongoing, and persistent.”

Last month, a joint alert was released by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the HHS warning of an coming increase in ransomware activity focused on the healthcare sector. Within seven days of the alert being issued, six healthcare providers reported ransomware attacks in a just one day. More than a dozen healthcare groups have reported being hit in the past eight weeks, with over 62 attacks reported by healthcare groups so far in 2020.

Human-managed ransomware attacks have previously seen actors obtain access to networks many weeks and even months prior to the deployment of ransomware. ASPR commented that in many recent ransomware attacks, the time from the first compromise to the deployment of ransomware has been very short, just a matter of days or possibly even hours.

A long duration of time between compromise and deployment gives victim groups time to discover the compromise and implement measures to eradicate the hackers from the network in time to stop file encryption. The short duration makes this far more tricky.

A range of methods are being deployed to tackle the ransomware, including other malware strains such as TrickBot and BazarLoader, which are commonly shared using phishing emails, as well as manual deployment after networks have been compromised by exploiting flaws.

Healthcare groups should implement measures to tackle the ransomware threat by addressing the vulnerabilities that are exploited to obtain access to healthcare networks. This includes carrying out vulnerability scans to spot weaknesses before they are targeted and ensuring those flaws are mitigated. Anti-spam and anti-phishing solutions should be configured to prevent the email attack vector, and healthcare groups should implement a 3-2-1 backup approach to ensure files can be rescued in the event of an attack. The 3-2-1 approach involves 3 copies of backups, on two different media, with one duplicate stored securely off-site. The latest ransomware attack on Alamance Skin Center highlights the importance of this backup strategy. Patient data was permanently lost due to the attack when the ransom was not met.

Indicators of Compromise (IoCs), suggested tactics, and ransomware best practices are included in the October 28, 2020 CISA/FBI/HHS alert.

ASPR remarked: “Organizations should balance their operational needs with the current threat level and develop processes and postures for normal operating status and higher threat periods. The threat from ransomware is ongoing and entities should develop effective deterrent procedures while maintaining effective care delivery.”