Ransomware remains one of the most serious threats to the healthcare industry. Attacks can be incredibly costly to resolve, they can cause considerable disruption to business operations, and can put patient safety at risk. Ransomware gangs are constantly changing their tactics, techniques, and procedures to gain initial access to networks, evade security solutions, and make recovery without paying the ransom more difficult, and with more victims refusing to pay the ransom demand, ransomware gangs have started to adopt increasingly aggressive tactics to pressure victims into paying up.

Telemedicine Providers Targeted

A variety of methods are used to gain access to healthcare networks, including remote access technologies such as VPNs and Remote Desktop Protocol (RDP) and exploiting unpatched vulnerabilities, with phishing a leading attack vector. One of the latest phishing tactics to be adopted is to target healthcare providers that offer telemedicine services, especially those offering consultations with patients over the Internet. One new tactic that has proven to be successful is for the threat actor to impersonate a new patient and send the healthcare provider a booby-trapped file that appears to be a copy of their medical records. The ransomware gang assumes that prior to the appointment, the doctor will open the file to check the patient’s records, and will install malware that will provide access to their device.

One of the biggest problems for ransomware gangs is getting paid. When ransomware first started to be extensively used, files were encrypted, and payment needed to be made to recover files. Companies that followed best practices for data backups would be able to recover their files without paying the ransom. To increase the probability of payment being made, ransomware gangs started engaging in double extortion tactics, where sensitive data is exfiltrated prior to file encryption and threats are issued to leak the data if payment is not made. Even if backups exist, payment is often made to prevent the release of the stolen data. However, this tactic is no longer as successful as it once was. Coveware reports that fewer victims are paying the ransom demand, even when data is stolen.

Triple Extortion Tactics Adopted

Some ransomware gangs have started using triple extortion tactics to pile more pressure on victims to pay up. There have been several attacks on healthcare organizations where triple extortion tactics have been used. Triple extortion can take several different forms, such as contacting individual patients using the contact information in the stolen data to try to extort money from them. The REvil ransomware gang, now believed to be the operator of BlackCat ransomware, started calling the clients of victims or the media, tipping them off about the attack. Some gangs have also conducted Distributed Denial of Service (DDoS) attacks on victims that refuse to pay up, with LockBit starting to demand payment to return the stolen data in addition to paying for the decryptor and to prevent the data being leaked.

Brian Krebs of Krebs on Security, recently reported on another new tactic that was uncovered by Alex Holden, founder of the cybersecurity firm Hold Security. Holden gained access to discussions between members of two ransomware operations: Clop and Venus that are known to target healthcare organizations (See the HC3 alerts about Venus and Clop ransomware).

The Clop ransomware gang has adopted a tactic for attacks on healthcare organizations that involves sending malicious files disguised as ultrasound images to physicians and nurses, and they are one of the gangs that have started targeting healthcare providers that offer online consultations.  One message between gang members that Holden was able to access indicates the gang has had success with this tactic. It involves a request for an online consultation from a patient with cirrhosis of the liver. They chose cirrhosis of the liver as they determined it would be likely that a doctor would be able to diagnose the condition from an ultrasound scan and other medical test data that they claim is attached to the email.

Framing Executives for Insider Trading

Holden explained that discussions amongst members of the Venus gang suggest they are struggling to get paid, which has led them to try a new method to pressure victims into paying up. They have been attempting to frame executives of public companies by editing email inboxes to make it appear that the executives have been engaging in insider trading. In at least one attack this proved successful. Messages were inserted that discussed plans to trade large volumes of the company’s stock based on non-public information.

Holden said one of the messages sent by the Venus gang said, “We imitate correspondence of the [CEO] with a certain insider who shares financial reports of his companies through which your victim allegedly trades in the stock market, which naturally is a criminal offense and — according to US federal laws [includes the possibility of up to] 20 years in prison.”

Holden explained that implanting messages into inboxes is not easy but it is possible for a ransomware actor with access to Outlook .pst files, which an attacker would likely have if they compromised the victims’ network. Holden said the implanting of emails may not stand up to forensic analysis, but it may still be enough to cause a scandal and risks reputation loss, which may be enough to get the victim to pay up.

Defenses Against Ransomware Attacks

The tactics, techniques, and procedures used by ransomware gangs are constantly changing, and with fewer victims paying ransoms, ransomware gangs are increasingly likely to opt for more aggressive tactics. Healthcare organizations should keep up to date on the latest threat intelligence, monitor for attacks using published indicators of compromise (IoCs), and implement the recommended mitigations.  To keep options open, it is vital to maintain offline backups and use the recommended 3-2-1 backup strategy – Make three backup copies (1 primary and two copies), store those backups on at least two different media, with one of those copies stored securely offsite. It is also important to prepare for an attack and develop and regularly test an incident response plan, with the tabletop exercises including members of all teams that will be involved in the breach response. Organizations that have a tested incident response plan recover from ransomware attacks more quickly and incur lower costs.

The post Ransomware Gangs Adopt New Tactics to Attack Victims and Increase Likelihood of Payment appeared first on HIPAA Journal.

The Health Sector Cybersecurity Coordination Center (HC3) has released analyses of two ransomware variants that are being used in attacks on the healthcare sector: LockBit 3.0 and BlackCat.

LockBit 3.0

LockBit ransomware was first detected in September 2019 when it was known as ABCD ransomware. Over the past three years, the ransomware has been continuously improved and updated, and it is now one of the most prolific ransomware families. In 2022, more attacks have been conducted using LockBit ransomware than any other ransomware variant. The cybercriminal group behind LockBit runs a highly professional ransomware-as-a-service (RaaS) operation with a strong affiliate program, which has helped the group stay ahead of its competitors. In a first for a ransomware operation, the release of LockBit 3.0 in June 2022 also saw the launch of a bug bounty program, where security researchers are encouraged to identify vulnerabilities to help the gang improve its operation, for which the group claims it will pay anywhere from $1,000 to $1 million. The ransomware has many anti-analysis features, including requiring a unique 32-character password to be entered each time it is launched.

LockBit 3.0 has most of the same functions as LockBit 2.0, and has code similar to DarkSide and BlackMatter ransomware. It uses the same code as BlackMatter to resolve its needed API functions, the same method for identifying logical drives, and similar debugging features. Functions that are shared include the ability to send ransom notes to networked printers, delete Volume Shadow Copies, and obtain the victim’s operating system. The latest version of the ransomware has worm capabilities and can spread throughout the network with no human interaction. Once deployed, the ransomware will try to download several post-exploitation tools such as Mimikatz for credential theft, and the penetration testing software, Cobalt Strike and Metasploit.

LockBit uses double extortion tactics, first exfiltrating data and then encrypting files, with threats issued to leak victims’ data if the ransom is not paid. Data is exfiltrated using a malware called StealBit, which automates the process. Following the release of LockBit 3.0, the gang has engaged in triple extortion tactics, where in addition to payment for the decryptor and to prevent a data leak, the victim is told they need to pay a fee to buy back their data. Ransom demands vary, with some attacks seeing ransom demands of millions of dollars. Initial access is gained using a variety of methods, including phishing, RDP compromise and credential abuse, and exploiting vulnerabilities in VPN servers and other known vulnerabilities.

BlackCat

BlackCat ransomware is a newer ransomware variant that was first detected in November 2021. The threat actors behind this ransomware are highly capable and are believed to have significant experience and extensive relationships with some of the most significant players in the cybercriminal world, such as FIN12 and FIN7 (Carbon Spider). The ransomware is also one of the most technically sophisticated variants in use, which allows it to be used in attacks on a wide range of corporate targets.

The ransomware is entirely command-line driven and human-operated and is able to use several different encryption routines. It is capable of being programmed for full file encryption, fast (partial) encryption, and DotPattern and SmartPattern encryption, with the latter two benefiting from both strength and speed. The ransomware can self-propagate, delete Volume Shadow Copies, and terminate commercial backup software and other services and processes that protect against file encryption. The ransomware will also render hypervisors ineffective to prevent analysis.

BlackCat ransomware has been used in several attacks on the healthcare sector, with the operation known to target pharmaceutical companies and pharmaceutical manufacturers. Like LockBit, multiple methods are used to gain initial access to victims’ networks, including phishing, exploiting known vulnerabilities, compromising remote access technologies such as RDP and VPNs, and distributed attacks, including supply chain and managed service provider compromise.

The ransomware is highly customizable and relies heavily on internally-developed capabilities, which are constantly evolving. Like LockBit, the group runs a professional RaaS operation, which is one of the most sophisticated of any ransomware actor. Several security researchers believe BlackCat to be the successor to REvil, Darkside, and BlackMatter ransomware. The capabilities of the threat actors and the sophisticated nature of the ransomware itself and the RaaS operation make BlackCat ransomware a significant threat.

The post HC3 Shares Analyses of LockBit 3.0 and BlackCat Ransomware appeared first on HIPAA Journal.

The Health Sector Cybersecurity Coordination Center (HC3) has issued a warning to the healthcare and public health (HPH) sector about Royal ransomware attacks. Royal ransomware is a new ransomware threat that was first observed being used in attacks in September 2022. Attacks have been increasing and organizations in the HPH sector have been targeted.

Many ransomware threat actors run ransomware-as-a-service operations, where affiliates are recruited to conduct attacks for a percentage of the profits; however, Royal ransomware appears to be a private group, whose members have previously worked for other ransomware operations. Microsoft says a threat actor it tracks as DEV-0569 has been observed conducting Royal ransomware attacks, although several other actors are also part of the group.

The threat actors conducting the attacks are experienced and innovative, have been using new techniques and evasion tactics, and deliver a variety of post-compromise payloads. Like most other ransomware operations, Royal ransomware attacks involve data theft, with the threat actors publishing the stolen data if the ransom is not paid. The group is known to use hijacked Twitter accounts to send information to journalists to get media coverage to increase the pressure on victims. The ransom amount is often sizable, ranging from $250,000 to $2 million in the attacks conducted so far.

Once initial access has been gained to a victim’s network, the group deploys Cobalt Strike for persistence, harvests credentials, and moves laterally within networks. Shadow copies are deleted to hamper any attempt to recover files without paying the ransom, sensitive data is exfiltrated, then files are encrypted. Files may be fully or only partially encrypted, with the latter the faster option. Both will prevent files from being opened. An analysis of the ransomware showed the BlackCat ransomware encryptor was initially used, although this has now been changed to the group’s own encryptor (Zeon). The ransom note generated is similar to the note used in Conti ransomware attacks, which suggests there may be a link to that now-defunct ransomware operation.

Various methods are used to gain initial access to victims’ networks. The group uses malvertising – malicious adverts – to direct traffic to a site where a malicious file is downloaded, including Google Ads. The group has also been observed conducting phishing attacks with malicious URLs in the emails, and the malicious URL has been added to a variety of blog and forum posts. Malicious installer files have also been added to repositories and websites that claim to offer free software.

The group has also been observed compromising unpatched software vulnerabilities, vulnerabilities in VPN servers, credential abuse, and compromising Remote Desktop Protocol (RDP). The group also uses social engineering to trick people into installing remote access software in callback phishing attacks, impersonating software providers and food delivery services.

HC3 has shared indicators of Compromise (IoCs) in the alert to help network defenders identify intrusions.

The post Healthcare Organizations Warned About Royal Ransomware Attacks appeared first on HIPAA Journal.

Sen. Mark Warner (D-Va) recently published a white paper framing cybersecurity as a patient safety issue. The paper suggested several policy updates that could help improve healthcare cybersecurity and encourage healthcare organizations to invest more in cybersecurity, such as the introduction of an incentive program similar to the Meaningful Use program that rewards healthcare providers that make cybersecurity improvements.

Healthcare cybersecurity has never been as important as it is today and, as Warner explained, cybersecurity in healthcare “is exponentially growing in importance.” Warner says the white paper is a starting point to open up a discussion about changes that can be implemented to improve cybersecurity in the sector, rather than a blueprint for change.

At the heart of the white paper are three major challenges – The first is to improve federal oversight and appoint a leader with overall control or authority, rather than the current mishmash of agencies that have responsibilities related to healthcare cybersecurity. Then a change in mindset is required, where cybersecurity is viewed as a patient safety issue rather than a secondary concern. Cybersecurity needs to be baked into healthcare, not bolted on as an afterthought. Finally, and perhaps the biggest challenge to overcome is the current staffing shortage. There are simply not enough skilled workers to fill the cybersecurity roles in healthcare, so investment is needed in training and retention, especially since salaries in healthcare are typically lower than in other sectors. Together, solving these issues will be a major challenge.

Sen. Warner sought feedback from healthcare industry stakeholders on the white paper, with the comment period officially coming to an end on December 1, 2022; however, since the white paper covers such important issues, the deadline has been extended.

The white paper has received considerable praise from industry leaders, with the American Hospital Association and CHIME and AEHIS agreeing with many of the suggestions. Both have written to Sen Warner and have provided feedback and recommendations to better support their members.

AHA Feedback on Cybersecurity is Patient Safety White Paper

The AHA said “hospitals and health systems have prioritized protecting patients and defending their networks from cyberattacks. However, they need support from the federal government as the field continues to face targets from sophisticated cyber adversaries and nation-states.”

With respect to leadership, the AHA supports the appointment of a senior cybersecurity leadership role within the HHS and recommends better coordination between the HHS and the Cybersecurity and Infrastructure Security Agency (CISA), such as by improving delineation of specific authorities, roles, and responsibilities. The AHA confirmed it supports the Healthcare Cybersecurity Act, which authorizes cybersecurity training for the Healthcare and Public Health (HPH) sector, and calls for an analysis of cybersecurity risks faced by the HPH sector, especially regarding the impacts to rural hospitals, vulnerabilities of medical devices, and cybersecurity workforce shortages. The AHA has also strongly recommended financial incentives and qualifying grants to be made available to healthcare providers to support the implementation of cybersecurity technology and best practices, such as those detailed in the NIST guidelines and the HICP.

Greater support is required from the federal government for victims of cyberattacks

The AHA points out that many cyberattacks on the healthcare industry are either associated with or supported by nation-states, and as such, they are a national security issue, so the burden of defending against these attacks should not be shouldered solely by private sector organizations. The AHA has called for the federal government to consider ways to provide additional guidance and support to healthcare organizations that are victims of cyberattacks, especially to help them recover quickly, just like the federal government provides support to victims of terrorist attacks.

Help protect healthcare R&D and related intellectual property

The AHA supports tackling threats to healthcare IP through the existing Department of Justice Task Force on Intellectual Property, and for guidance to be released for industry and academia on evaluating the potential economic impact, reputational damage, loss of intellectual property, and other cybersecurity risks for health care research and development, and recommendations should be provided on how to best combat these threats. The AHA has also recommended small and rural research institutions be considered when drafting new guidance. The AHA has previously proposed a methodology that should be considered, which is based on four steps: educate, catalog, classify, and control.

NIST should release healthcare-specific guidance

The AHA says the NIST Cybersecurity Framework has been hugely beneficial for the healthcare industry but has recommended NIST further integrate healthcare cybersecurity subject matter experts into the development of its work products, and to release products and guidance focused on the healthcare industry. Since many healthcare organizations lack the financial resources to implement the NIST CSF, the AHA recommends offering financial incentives and qualifying grants to help them implement appropriate cybersecurity technology and the best practices outlined in the NIST CSF.

Modernize HIPAA to better address healthcare cybersecurity

While a new regulatory framework could be implemented to improve healthcare cybersecurity, the AHA says this is likely to be problematic. Instead, the AHA recommends modernizing HIPAA to address the current cyber threat landscape. The AHA has also called for the HHS to provide model language that can be used to help healthcare providers explain to patients the risks associated with accessing their health data through an app and to expand HIPAA to cover software applications and consumer devices that collect health information, to ensure they comply with the same privacy and security standards.

Support for workforce development programs and student loan forgiveness

The AHA supports the development and promotion of workforce training programs in cybersecurity and the funding of targeted internships or other programs to place cybersecurity professionals in small and rural facilities. The AHA supports student loan forgiveness and suggests that in order to qualify, workers should serve consistently for at least three years in a primary cybersecurity role in small and rural hospitals.

Create an incentive program to improve healthcare providers’ cybersecurity capabilities

AHA has expressed support for ensuring appropriate minimum cyber hygiene practices are adopted but says the Medicare Conditions of Participation (CoPs) and Conditions of Coverage (CoCs) are not the ideal places for monitoring minimum cybersecurity practices. While CoPs and CoCs are enforced by surveyors from either state agencies or contracted accrediting bodies, the surveyors are not necessarily cybersecurity experts. Further, the CoPs and CoCs are not updated frequently enough to reflect changes in cyber hygiene practices, and making frequent changes would require extensive resources and could result in confusion and distrust of the integrity of the CoPs.

Address the issue of insecure legacy systems

The AHA has called for manufacturers of legacy devices to provide a secure environment to ensure safe patient care, including wrapping security precautions around these devices and adding security tools and auditing capabilities. Regular updates and patches should be provided for all software, and vulnerabilities should be communicated rapidly. The FDA should also make it clear that security updates are required, not optional. The AHA also supports the provision of a software bill of materials to help healthcare organizations manage the security of their devices and confirmed it supports the PATCH Act, which Congress should pass.

Address the cost of cybersecurity improvements

Updating technology to improve cybersecurity comes at a considerable cost to healthcare providers. One way to support healthcare organizations financially would be to make sure that Medicare and Medicaid fixed payments accurately reflect the cost of care. Many hospitals rely on these payments, but they are often less than the cost of providing care. The AHA warns that now is not the time to make cuts to these payments.

Support recovery from cyberattacks and establish a disaster relief program

The AHA has called for the strategic national stockpile (SNS) to be augmented with common equipment needed by hospitals facing cyberattacks and to include specialized cybersecurity resources for cyberattacks in the SNS for healthcare organizations, as hospitals are considered part of the critical infrastructure of the nation. The AHA also supports the creation of a cyber disaster relief program that provides financial, technical, and human resources during and post-attack, and for the government to create a reinsurance program to assist victims of high-impact cyberattacks, akin to victims of international terrorist attacks.

CHIME & AEHIS Feedback on Cybersecurity is Patient Safety White Paper

CHIME and AEHIS have applauded the efforts of Sen. Warner and his commitment to highlighting and ameliorating the patient safety and national security risks posed to the healthcare sector by cyberattacks and calls for Congress to act now to improve the security of the healthcare sector. Feedback has been provided on several issues and policy changes outlined in the white paper, the key suggestions are detailed below.

Address funding challenges

CHIME/AEHIS recommend Congress increase funding for the HHS for cybersecurity for each of ASPR, HC3, and the 405(d) program, create a grant program specifically for small, medium, and under-resourced providers to help them make rapid improvements to cybersecurity, and to create a voluntary incentive program for healthcare providers to offset investments in cybersecurity. CHIME/AHGIS agree with the suggested ‘cash for clunkers’ program, but says this should be for healthcare providers, not device manufacturers.

405(d) program

CHIME/AEHIS believe the ASPR should remain the SRMA and the 405(d) program should continue to support the sector’s joint public-private partnership in developing best practices and other tools to improve the sector’s cybersecurity posture, and recommends the HHS engage in more education efforts and use the CMS as an outreach channel to improve awareness and education about 405(d) and other free federal resources on cybersecurity.

Penalties and incentives

CHIME/AEHIS have made several suggestions about penalties and incentives, recommending the latter is a better strategy than punitive actions. Like the AHA, CHIME/AEHIS advise against using CoPs to drive the adoption of cybersecurity best practices, saying this should be avoided at all costs. CHIME/AEHIS also propose a reduction in OCR penalties for victims of cyberattacks, and not to force under-resourced providers to shoulder the entire burden of cybercrimes.

There should also be a greater emphasis on unmasking, charging, and prosecuting cybercriminals, and punishments for individuals who attack the healthcare sector should be increased. CHIME/AEHIS also suggest a broadening of the types of technology eligible for donation under Stark and Antikickback policies, and prohibit donor recipients from taking legal action against their donor in the event of a cyber incident.

Incentives should include establishing a cybersecurity incentive program to the 405(d) Program’s best practices as detailed in HICP, to recognize and reward HCIP best practices, and for funding to be prioritized for small, medium, and under-resourced providers, as well as providers who were not eligible for electronic health record (EHR) incentives. CHIME suggests the CMS should oversee the cybersecurity incentive programs.

Medical device security

CHIME/AEHIS are supporters of the PATCH Act and strongly recommend Congress pass this legislation to give the FDA greater oversight of medical device manufacturers, they also suggest the FDA should be authorized to issue legally binding regulations and that the 2017 Task Force should be reconvened to develop a plan to prioritize the medical devices that are eligible for a replacement program.

Several recommendations have been made concerning medical device manufacturers, including prohibiting the sale of devices with software that is no longer supported or at end-of-life, supporting devices to ensure they are not sunsetted, directly notifying providers about software updates, vulnerabilities, and patches, and as per the PATCH Act, to ensure a software bill of materials is provided.

Patient privacy

CHIME/AEHIS recommend the FDA and OCR better align their guidance and enforcement activities, specifically to ensure that medical device manufacturers are meeting their obligations as HIPAA business associates. While the AHA recommends an update to HIPAA, CHIME/AEHIS suggest a new national privacy law be created covering non-HIPAA-covered health data, and until such a privacy law is passed, app developers must inform consumers about how their health data is being used. They also call for the FTC to be provided with sufficient funding to enforce the Health Breach Notification Rule.

Cyber insurance

CHIME/AEHIS suggest greater insight is needed for private cyber insurance carriers, and the government should establish a catastrophic cyber insurance program to help healthcare providers offset the extremely high costs of cyberattacks. That program would also serve as a backstop for providers that have been unable to obtain cyber insurance coverage on the open market.

Workforce shortages

To address the current workforce shortage in cybersecurity, a federal workforce development program should be created, access should be given to free cyber training under the Regional Extension Centers (RECs) model, and student loan forgiveness programs should be established for individuals taking on cybersecurity roles in healthcare.

The post Industry Groups Provide Feedback on Sen. Warner’s ‘Cybersecurity is Patient Safety’ White Paper appeared first on HIPAA Journal.

The security of medical devices is one of the biggest cybersecurity concerns in healthcare. Hospitals continue to add more connected medical devices and by doing so they significantly increase the attack surface. One recent survey found a strong link between the number of connected medical devices at medical practices and the number of cyberattacks they experience. Connected medical devices often have vulnerabilities that can be exploited, and provide hackers with an easy way to gain access to healthcare networks.

New legislation is being considered to force healthcare organizations to make medical device security a priority and to require the manufacturers of medical devices to do more to ensure the security of their devices for their entire lifecycle. For example, the Protecting and Transforming Cyber Health Care (PATCH) Act seeks to amend the Federal Food, Drug, and Cosmetic Act by requiring cybersecurity measures to be included in premarket submissions to demonstrate the safety and effectiveness of the devices throughout the product’s entire lifecycle.

Until new legislation is introduced, healthcare organizations need to make medical device cybersecurity a priority, but many find improving security a challenge. To make that process easier, the cybersecurity company Ordr, a leader in connected device security, has published a maturity model that serves as a framework to help healthcare organizations evaluate the security of their medical devices, benchmark their connected device security efforts, and develop an effective strategy for improving the strength of their security program.

The guidance document – A Practical Guide to Implementing Connected Device Security for Healthcare Organizations – helps healthcare organizations understand their current level of security maturity and identify where they need to focus their efforts to make improvements. The guide includes five levels of maturity, states the business value that can be achieved at each of the five stages, and provides recommended actions and insights to help security teams focus their efforts on the journey to zero trust.

The first stage is asset visibility – In order to secure medical devices, a healthcare organization must know where these devices are, the firmware versions they are running, and all software associated with the devices, so a complete, accurate, and up-to-date inventory must be maintained. The second stage concerns vulnerability and risk management. Healthcare organizations at this stage have combined device vulnerability insights, established device behavior baselines, reviewed external threat intelligence, and have a comprehensive view of the attack surface to guide their security efforts.

The third stage is reactive security, which is using the insights gained and the risk-based view identified in the previous stages to prioritize risk mitigation. The fourth stage is proactive security, involving automating policies and workflows to ensure threats can be rapidly detected and mitigated and implementing zero trust segmentation.  The final stage is optimized security, where all previous security efforts are expanded and optimized with automation and zero trust security policies are fully implemented.

“Organizations cannot expect to reach the Optimized Security stage instantly. Each stage establishes critical capabilities, builds upon previous stages, and creates value on the journey to Zero Trust,” Brad LaPorte, author of the guide and former Gartner cybersecurity analyst. “No matter where you are on this journey and what your ultimate goal is, this guide provides essential insights to understanding your security posture – and what is needed to improve.”

The post Guide Released for Assessing and Improving Connected Medical Device Security appeared first on HIPAA Journal.

The medical Internet of Things (IoT) is helping to improve efficiency and make healthcare more patient-centric; however, as hospitals increase the number of networked medical devices, the attack surface increases, giving malicious actors more opportunities to conduct attacks.  Connected devices with IoT sensors such as insulin pumps, defibrillators, and glucose monitors often have vulnerabilities that can be exploited. Part of the problem is medical devices are developed to perform important functions, but security is an afterthought. The devices are often highly vulnerable to cyberattacks and can be difficult to secure. If a malicious actor exploits those vulnerabilities, they will be able to gain a foothold in the network, access sensitive patient data, and potentially make changes to the devices and endanger patients.

Capterra recently conducted a survey on 150 healthcare respondents in the United States to explore the current state of medical IoT security and determine whether medical practices with a high percentage of their medical devices connected to the Internet were experiencing more cyberattacks.  75% of surveyed healthcare practices said they have experienced a cyberattack and 41% said they have experienced multiple attacks. The survey confirmed that these attacks usually negatively affect patients. The survey also found 67% of healthcare cyberattacks involved patient data and violated patient privacy and almost half (48%) had an impact on patient care. Only 10% of cyberattacks had no impact on patient care or patient data.

The survey found that medical practices that had a higher percentage of networked or Internet-connected medical devices were experiencing more cyberattacks than medical practices with a low percentage of connected medical devices.  83% of medical practices that had 70% or more of their medical devices connected to the Internet had experienced one or more cyberattacks, compared to 74% that had 51%-70% of connected devices, and 67% that had 50% or fewer of their devices connected to the Internet.

Medical practices that have more than 70% of their medical devices connected to the network were 24% more likely to experience a cyberattack than practices that had just 50% or fewer connected devices and were 52% more likely to experience multiple cyberattacks. 40% of surveyed medical practices said they had between 51% and 70% of their medical devices connected to the Internet and 34% have more than 70% of their devices connected to the Internet. Only 26% of medical practices said half of fewer than 50% of their medical devices were connected to the Internet.

53% of surveyed healthcare IT staff said they believe the current cybersecurity threat level is high or extremely high, but despite the threat of cyberattacks, many healthcare organizations are failing to secure their connected medical devices. 57% of healthcare IT staff said they do not change the default username and password on their devices, even though the default usernames and passwords can easily be found online. 82% of healthcare organizations run their medical devices on outdated Windows systems, and 68% of healthcare IT staff said they do not always update the firmware on the devices when patches are made available.

“As a healthcare organization connects more medical devices to its network, its attack surface expands,” says Zach Capers, senior security analyst at Capterra. “Connected medical devices often go unmonitored for security vulnerabilities, and because they run on a wide array of software and hardware platforms, it’s difficult to monitor with a single tool. This means that many connected medical devices are left wide open to cyberattacks.”

Healthcare organizations need to be proactive and improve medical device security, which means conducting routine vulnerability assessments before connecting any medical devices to the network, maintaining an accurate inventory of all medical devices and the software and firmware associated with those devices, and monitoring for firmware updates and patches and ensuring that they are applied promptly when they are released.

The post Medical Practices with a High Percentage of Connected Medical Devices Experience More Cyberattacks appeared first on HIPAA Journal.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint cybersecurity advisory about Cuba Ransomware and have shared details of the tactics, techniques, and procedures (TTPs) used by the group, along with Indicators of Compromise (IoCs) to help network defenders improve their defenses against attacks and rapidly detect computer intrusions. The Health Sector Cybersecurity Coordination Center says the group poses a significant threat to the healthcare and public health sector.

The Cuba ransomware group has increased attacks in the United States, with attacks doubling since December 2021, and ransom payments are also on the rise. Globally, more than 100 organizations have been targeted by the gang and more than $145 million in ransom demands have been issued, with the group known to have received at least $60 million in ransom payments. The group targets critical infrastructure organizations, with at least 65 critical infrastructure entities known to have been attacked in the United States, including those in healthcare and public health, government facilities, financial services, critical manufacturing, and information technology.

According to CISA and the FBI, there are similarities between the infrastructure used by the Cuba ransomware operation and the RomCom RAT and Industrial Spy ransomware actors. The group uses RomCom for command and control of the ransomware and sells stolen data through the online market used by the Industrial Spy actors if victims refuse to pay the ransom.  In one attack, The Cuba ransomware gang deployed the RomCom RAT on the network of a healthcare company, suggesting strong links between these three groups. The group is also known to use a dropper that was signed using the same certificate that was found in the LAPSUS NVIDIA data leak.

The Cuba ransomware group uses a variety of methods to gain initial access to victims’ networks, including exploiting vulnerabilities in unpatched commercial software – including CVE-2022-24521 (Windows Common Log File System), CVE-2020-1472 (ZeroLogon), phishing, compromised credentials, and remote desktop protocol (RDP) tools. Once access is gained, the ransomware is distributed using a loader called Hancitor, which is also used for dropping information stealers RATs, and other malicious payloads. Before encrypting files, the group exfiltrates data to pressure victims into paying the ransom demands.

CISA and the FBI previously issued a security advisory about the group in December 2021; however, the group has modified its TTPs, which have been included in the latest security alert along with IoCs, MITRE ATT&CK techniques, and recommended mitigations.

The post Healthcare Sector Warned About Cuba Ransomware Attacks appeared first on HIPAA Journal.

There was a slight downturn in ransomware attacks in Q3, although it is too early to tell if that downward trend will continue. Even with the reduction in attacks, ransomware is still the biggest cyber threat faced by organizations, and the attacks are among the costliest cybersecurity incidents to mitigate. Attacks on the healthcare industry continue to be conducted in high numbers, with several groups targeting the sector, even though the attacks have the potential to result in loss of life.

Guidepoint Security’s Research and Intelligence Team (GRIT) has been tracking the activity of ransomware gangs and identified 27 active ransomware groups in Q3, a slight decrease from Q2 when there were 30 groups conducting attacks. In Q3, there were 568 publicly posted ransomware victims – a 2.2% decrease from the 581 victims publicly posted in Q2. In Q3, new victims were publicly posted at a rate of 6.24 per day. Of course, there are some caveats with these findings. Some ransomware groups do not add all of their victims to their data leak sites, and some offer not to publicly release any information about an attack if the ransom is paid promptly. That said, figures published by the ransomware remediation firm Coveware indicate the number of organizations paying ransoms is declining.

The report shows that the ransomware threat is greatest in the United States, which is the most targeted country with 38.9% of total victims, followed by France (6.2%), and the United Kingdom (5.6%). Attacks in Spain increased significantly in Q3, which saw the country rise to 4^th spot with 4.9% of attacks. Attacks are also being conducted more widely, with 16 countries targeted for the first time this year in Q3, and 6 of those countries targeted for the first time ever.

The most prolific ransomware groups in Q3 were LockBit, BlackBasta, Hive, AlphV, Bianlian, and Vice Society, with LockBit by far the most prolific operation. LockBit is known to target the healthcare sector, and a warning about the group was recently issued by the Health Sector Cybersecurity Coordination Sector (HC3). The group increased the number of attacks in September compared to the previous two months, and accounted for 42% of all publicly posted victims, increasing from 211 victims in Q2 to 235 in Q3.

Blackbasta was the second most prolific group and there was a 32% increase in victims in Q3, with Hive in third place with attacks increasing by 104% in the quarter. A warning was also issued by HC3 about Hive recently. Hive actively targets the healthcare industry, with 12.8% of its victims in the healthcare and public health (HPH) sector – twice the percentage of HPH sector victims as LockBit. While the healthcare industry is actively targeted by several ransomware groups such as LockBit and Hive, some choose not to attack the sector. Even so, the industry ranked third in terms of victim count in Q3, with LockBit, Hive, and BianLian claiming the highest number of victims. Manufacturing ranked first for publicly posted victims, with technology ranking second.

So far this year, 44 ransomware groups have been observed conducting attacks, and there have been 1,846 publicly posted victims. 8 new ransomware operations emerged in Q3, including Sparta, which made the top 10 in terms of the number of victims. The group has so far conducted all of its attacks on organizations in Spain. Combined, two previously highly active groups, Vice Society and Quantum, decreased attacks by 48% and 57% respectively in Q3.

The post Healthcare Ransomware Threat High Despite Slight Downturn in Attacks in Q3 appeared first on HIPAA Journal.

The healthcare and public health sector (HPH) has been warned about the threat of ransomware attacks by the Lorenz threat group, which has conducted several attacks in the United States over the past two years, with no sign that attacks are slowing.

Lorenz ransomware is human-operated and is deployed after the threat actors have gained access to networks and have exfiltrated data. Once access to the network is gained, the group is known to customize its executable code and tailor it for each targeted organization. The Lorenz actors maintain persistence and conduct extensive reconnaissance over an extended period of time before deploying ransomware to encrypt files. The group engages in double extortion tactics, where sensitive data is exfiltrated prior to file encryption and ransom demands are issued to prevent the sale or publication of that data, in addition to payment being required to obtain the keys to decrypt files.

Many ransomware threat actors steal data and threaten to publish the stolen files on a data leak site if the ransom is not paid. The process used by Lorenz is somewhat unique. If after attempting to engage with a victim the ransom payment is not forthcoming, the group attempts to sell the stolen data to other threat actors and competitors. If the ransom is still not paid, Lorenz publishes password-protected archives containing the stolen data on its data leak site. If the group is unable to monetize the stolen data, the passwords for the archives are then published, which allows anyone to access and download the stolen data. There have been cases where the group has maintained access to victims’ networks and has sold that access to other threat groups.

Lorenz engages in big game hunting, most commonly targeting large organizations, with the ransom demands typically in the range of $500,000 to $700,000. There have been no known attacks on non-enterprise targets, and the majority of victims have been English-speaking. In contrast to most other ransomware gangs, relatively little is known about this group. Methods known to have been used by the group to gain initial access to victims’ networks include phishing, compromising remote access technologies such as RDP and VPNs, exploiting unpatched vulnerabilities in software and operating systems, and conducting attacks on managed service providers (MSPs), and then pivoting to attack MSP clients.

The Health Sector Cybersecurity Coordination Center (HC3) Analyst Note includes references, known Indicators of Compromise, and other resources that can be used by network defenders to improve their defenses against Lorenz ransomware attacks.

The post HPH Sector Warned About Lorenz Ransomware Group appeared first on HIPAA Journal.