Ransomware attacks continue to be conducted on healthcare organizations in high numbers but determining the extent to which healthcare organizations are being targeted by ransomware gangs is a challenge. Victims of ransomware attacks do not always report the incidents as involving ransomware, and ransomware gangs do not publicly disclose attacks when ransoms are paid.

The nature of the attacks conducted by ransomware gangs is also changing, with some ransomware gangs opting to conduct extortion-only attacks, where sensitive data is exfiltrated from networks and a ransom demand is issued to prevent its publication or sale, but malware is not used to encrypt files. The decision whether or not to encrypt appears to be taken on an attack-by-attack basis.

The cybersecurity firm Emsisoft tracks ransomware attacks and produces annual reports that provide insights into the extent to which ransomware is used in cyberattacks, but Emsisoft admits that it is difficult to produce reliable statistics. This year’s report shows more than 200 large organizations in the United States have been attacked in the government, education, and healthcare verticals. Attacks in the education sector have remained fairly consistent over the past 4 years with between 84 and 89 attacks conducted each year, as has the number of attacks on state and local governments – 105 in 2022 with an average of 102 attacks a year.

Compiling meaningful data on attacks on healthcare organizations has been particularly challenging as while there are reporting requirements under HIPAA, it is not necessary to disclose the exact nature of the attacks or release details. For this reason, and due to the volume of reports, for the 2022 report, Emsisoft did not compile data for healthcare organizations and instead focused on hospitals and multi-hospital health systems.

For the report, Emsisoft’s researchers compiled data from public breach notices, reports, dark web data leak sites, and from third-party intelligence, with its data confirming that at least 105 counties, 45 school districts, 44 universities, and 25 healthcare providers suffered ransomware attacks in 2022. The true figure is likely to be significantly higher due to the lack of detailed reporting.

Across all ransomware attacks and verticals, hackers stole data prior to using encryption in around half of the attacks, but data theft was much more common in ransomware attacks on hospitals. Out of the 24 confirmed attacks on hospitals, data theft occurred in 17 of those attacks (68%). Due to the lack of accurate data released by healthcare organizations and their business associates, it is not possible to definitively determine whether ransomware attacks have plateaued, are increasing, or declining. What is clear is that the healthcare sector continues to be targeted and a great many patients have been affected by the attacks.

Several of the attacks were conducted on multi-hospital health systems, with 290 hospitals across the country potentially affected by the attacks. That includes the 150 hospitals operated by CommonSpirit Health, which recently confirmed that the protected health information of 623,774 patients was compromised in the attack. CommonSpirit Health has recently confirmed that only a small number of the hospitals it operates were affected.

These attacks often result in the theft of patient data, which can negatively affect patients and put them at risk of identity theft and fraud, but the most serious consequences are to patient health. Studies have been conducted that indicate an increase in mortality following a ransomware attack and a negative impact on patient outcomes due to delays in receiving test results, postponed appointments, and canceled surgeries. While no deaths have been attributed to ransomware attacks, patient outcomes are affected by the delays in receiving treatment. Emsisoft draws attention to one attack that resulted in a computer system used for calculating medication doses being taken offline, which caused a 3-year-old patient to be given a massive overdose of pain medication.

The post 290 Hospitals Potentially Affected by Ransomware Attacks in 2022 appeared first on HIPAA Journal.

The healthcare and public health (HPH) sector has been warned about the risk of cyberattacks by a pro-Russian hacktivist group dubbed KillNet, following a recent attack on a U.S. healthcare organization. KillNet is believed to have started operating around the time that Russia invaded Ukraine, between January and March 2022. Since then, the hacktivist group has targeted government institutions and private sector organizations in countries that are providing support to Ukraine, especially NATO countries.

KillNet primarily conducts distributed denial of service (DDoS) attacks. DDoS attacks involve flooding servers and websites with thousands of connection requests from compromised devices to deny access to legitimate users of those servers and websites. These attacks can last for several hours or even days, during which time the servers/websites will run slowly, with prolonged attacks causing outages that can last for several days. Generally, these attacks do not cause any major damage to hardware.

Members of the group have threatened to target organizations in the U.S. healthcare sector in response to the U.S. policy of providing support to Ukraine. Those threats include cyberattacks, data theft, and the publication of the health data of Americans. In December 2022, KillNet claimed responsibility for a cyberattack on a large U.S. healthcare organization that provides healthcare to members of the U.S. military and claims to have stolen a large amount of user data.

Members of the group have threatened to conduct attacks on organizations in other countries if their demands are not met. For instance, in response to the arrest of a suspected member of the KillNet group in Romania in May 2022, a member of the group threatened to target the UK Ministry of Health and claimed attacks would be conducted on life-saving ventilators in British hospitals.

The Health Sector Cybersecurity Coordination Center (HC3) says the group has a tendency to exaggerate, so any claims made by the group should be taken with a pinch of salt. HC3 says it is possible that some of the claims made by members of the group have been to garner attention from the public and across the cybercriminal underground. That said, the group is considered to be a threat to government and critical infrastructure organizations, including organizations in the HPH sector. HC3 has suggested some practical steps for HPH sector organizations to take to mitigate the risk of DDoS attacks, which are detailed in the KillNet Analyst Note.

The post HPH Sector Warned About Threat of DDoS Attacks by Pro-Russian Hacktivist Group appeared first on HIPAA Journal.

The text of a $1.7 trillion omnibus appropriations bill has been released by the House and Senate Appropriations Committees which, if passed, will ensure that the government remains funded until September 30, 2023. The Senate has already started debating the bill and the House is due to consider the bill this week. The bill must be signed by the president on Friday this week, when government funding is set to expire.

The 4,155-page bill includes many healthcare provisions that will help hospitals and health systems provide better care for patients. These include the prevention of the 4% Medicare PAYGO cuts to providers, financial support for rural hospitals to ensure they can continue to operate, measures to help states prepare for Medicaid eligibility changes when the COVID-19 Public Health Emergency comes to an end, and extensions and expansions of telehealth flexibilities until December 31, 2024. This will help to ensure that telehealth and hospital-at-home programs can continue to provide convenient and accessible medical treatment for patients. The bill will also provide funding for essential behavioral health programs and several provisions that will help to increase the healthcare workforce.

The bill proposes $120.7 billion in funding for the Department of Health and Human Services, increasing HHS funds by a further $9.9 billion from last year. Funding for the Centers for Medicare and Medicaid Services will increase by $100 million, the National Institutes of Health will receive an additional $2.5 billion to focus on research on a range of diseases and medical conditions, the Centers for Disease Control and Prevention will receive a further $760 million, primarily to fund fundamental public health activities and emergency preparedness, and the Substance Abuse and Mental Health Services Administration will receive an additional $970 million for mental health programs and for expanding access to its services.

In September, the Food and Drug Administration (FDA) appropriations bill was passed to ensure the FDA continued to be funded, but in order for the bill to be passed, the FDA was forced to drop its proposed medical device cybersecurity requirements, many of which were taken from The Protecting and Transforming Cyber Health Care (PATCH) Act. Those requirements were blocked by the Senate Republican leadership.

There is good news in this regard, as the omnibus appropriations bill includes new requirements for medical device manufacturers to ensure that their devices meet certain minimum standards for cybersecurity. Those requirements will take effect 90 days after the bill is enacted. These include submitting a plan to the Secretary of the FDA to monitor, identify, and address postmarket cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures, and they must ensure their devices and associated systems are secure and must release postmarket software and firmware updates and patches. Medical device manufacturers will also be required to provide a Software Bill of Materials (SBOM) to the Secretary of the FDA that includes all off-the-shelf, open source, and critical components used by the devices.

The bill calls for the FDA to provide additional resources and information on improving the cybersecurity of medical devices within 180 days, and annually thereafter, including information on identifying and addressing cyber vulnerabilities for healthcare providers, health systems, and device manufacturers. Within one year, the Government Accountability Office is required to issue a report that identifies the challenges faced by healthcare providers, health systems, patients, and device manufacturers in addressing vulnerabilities, and how federal agencies can strengthen coordination to improve the cybersecurity of devices.

HIPAA called for the creation of a unique patient identifier (UPI), but funding has not been provided to date. The appropriations bill continues to prohibit funding for a national patient identifier, even though a UPI would help to ensure that patients can be accurately linked with the correct medical records.

The post Medical Device Cybersecurity Provisions Included in Omnibus Appropriations Bill appeared first on HIPAA Journal.

Cyberattacks have increased in volume and sophistication to the point where it is inevitable that a successful attack will be experienced by all healthcare organizations at some point in their lifespan. Healthcare organizations can hope for the best, but it is vital to plan for the worst and take steps to ensure that the damage caused is kept to a minimum. A major focus for security teams, in addition to reducing risks, is improving cyber resilience. Cyber resilience is the ability of an organization to continue to operate in the event of a cyberattack and to recover quickly.

A recent survey by Cisco indicates executives are aware of the importance of cyber resilience, with 96% of respondents saying cyber resilience is a high priority, and deservedly so, since 62% of respondents said their organization had experienced a security breach in the past two years – a combination of data breaches (51.5%), network/system outages (51.1%), ransomware attacks (46.7%), and DDoS attacks (46.4%). These attacks had severe repercussions for the breached entities, causing disruption to IT systems, communications, supply chains, and internal operations, with four out of 10 breached organizations saying they suffered lasting brand damage.

While the main goal in cybersecurity is still to prevent attacks from occurring, it must be assumed that will not always be possible given the rapidly evolving threat landscape. The cyber resilience lifecycle can be split into five elements: identify, protect, detect, respond, recover, and anticipate. It is important for healthcare organizations of all sizes to address these elements to improve their cyber resilience, and CISCO has identified the most important elements for success.

For CISCO’s Security Outcomes Report, Volume 3: Achieving Security Resilience report, a methodology was developed for scoring organizations on cyber resilience that allowed the researchers to identify seven key factors that are critical to success. All seven of these factors were present in the 90^th percentile of cyber resilient organizations and were all lacking in the bottom 10^th percentile, these were:

• Strong security support from the C-suite
• Excellent security culture
• Internal staffing and resources for incident response
• Mostly on-premises or mostly cloud-based technology infrastructure
• Mature zero trust
• Advanced endpoint detection
• Converging networking and security into a mature, cloud-delivered secure access services edge

Organizations with poor security support from the C-suite scored 39% lower than those with strong C-suite support. Organizations with a strong security culture scored 46% higher than those lacking a security culture, which can be achieved through regular workforce training.  There was a 15% increase in resilient outcomes to security incidents when an internal team and resources were available for incident response. Interestingly, there was no difference in resilience scores between organizations with either most of their technology infrastructure on-premises or in the cloud, but those that were transitioning from on-premises to the cloud had scores reduced by between 8.5% and 14%, depending on how difficult their hybrid environments were to manage.

One of the best approaches to take to improve cyber resilience is to adopt zero trust. This approach to security assumes defenses have already been breached and makes it as hard as possible for malicious actors to move laterally within networks. Implementing zero-trust is not a quick process, but its importance in healthcare is well understood. A recent Okta survey indicates 58% of healthcare organizations have started implementing zero-trust initiatives and 96% of all surveyed healthcare respondents said they had either started implementing zero-trust or plan to in the next 12-18 months. Guidance on implementing zero-trust in healthcare was recently published by Health-ISAC.

Cisco reports that organizations with a mature zero-trust model had 30% higher cyber resilience scores on average than those that had none. The most significant boost came not from zero trust, but from advanced endpoint detection and response capabilities, which improved cyber resilience scores by 45%. Converging networking and security into a mature, cloud-delivered secure access services edge increased security resilience scores by 27%.

“The Security Outcomes Reports are a study into what works and what doesn’t in cybersecurity. The ultimate goal is to cut through the noise in the market by identifying practices that lead to more secure outcomes for defenders,” said Jeetu Patel, executive vice president and general manager of security and collaboration at Cisco. “This year we focused on identifying the key factors that elevate the security resilience of a business to among the very best in the industry.”

The post Most Important Factors for Improving Cyber Resilience appeared first on HIPAA Journal.

Automation cuts costs and improves productivity, and it is as important in cybersecurity as it is in manufacturing. Many labor-intensive security tasks can be automated to allow network defenders to do more in less time, including monitoring, port scanning, vulnerability scanning, and patching. There is a wide range of security tools that can be used to automate tasks to allow security teams to identify and address vulnerabilities more quickly and rapidly detect intrusions and investigate suspicious activity.

Many security tools have been created for blue team use that can save a considerable amount of time. For example, tools are available that can scan for vulnerabilities, automate mitigation, and make suggestions about recommended actions. Manually performing these tasks is time-consuming and extends the window of opportunity for hackers to exploit the flaws. A great deal of threat intelligence is available to network defenders – far too much to sift through manually. Cyber intelligence tools automate the process of checking threat intelligence and can filter out irrelevant information, allowing security teams to focus on the most serious and pertinent threats.

Security Information and Event Management (SIEM) tools are valuable to network defenders. They provide real-time analysis of security alerts generated by applications and network hardware and allow security teams to efficiently collect and analyze log data from all of their digital assets. Security Monitoring and Alerting Tools (SMAAT) and Network Intrusion Detection Systems (NIDS) continuously monitor systems for suspicious activity and instantly alert security teams when a potential intrusion is detected. Automation can help defenders rapidly identify publicly exposed assets, identify cloud misconfigurations, and scan for excessive permissions and vulnerabilities before they can be exploited.

Just as these tools can help network defenders, hackers are also using automation, which is why they are able to conduct so many attacks in such as short space of time. The CapitalOne data breach in 2019 resulted in access being gained to 100 million credit card applications and accounts. The hacker behind that attack – an individual, not a group – also breached the systems of at least 30 other organizations, which was only possible by using automation.

Oftentimes, the same tools that are used by security teams for defense are also being used by hackers for offense. Only through automation is it possible to conduct huge spamming and phishing campaigns, rapidly identify vulnerable Internet-exposed systems to attack, simultaneously exploit vulnerabilities at multiple organizations, and conduct brute force attacks on accounts. For example, hackers use the Autosploit tool to automate searches for vulnerable systems on the Shodan search engine and automate the use of the Metasploit framework for exploiting the vulnerabilities. If hackers are using automation, the only way for security teams to keep up is to also use automation.

The Health Sector Cybersecurity Coordination Center (HC3) recently published a new resource that highlights the benefits of automation and its impact on healthcare. The resource includes suggestions on some of the automation tools that can be used for defensive purposes that have a high level of automation, are easy to implement, and have good support and technical documentation. They can be used by blue teams for defense and red teams for penetration testing to mimic adversaries and identify vulnerabilities before they can be exploited. The resource also explains how hackers are using automation in their attacks, which can help security teams gain a better understanding of their adversaries.

The post Automation Can Help Network Defenders Achieve More in Less Time and Stay One Step Ahead of Hackers appeared first on HIPAA Journal.

Ransomware remains one of the most serious threats to the healthcare industry. Attacks can be incredibly costly to resolve, they can cause considerable disruption to business operations, and can put patient safety at risk. Ransomware gangs are constantly changing their tactics, techniques, and procedures to gain initial access to networks, evade security solutions, and make recovery without paying the ransom more difficult, and with more victims refusing to pay the ransom demand, ransomware gangs have started to adopt increasingly aggressive tactics to pressure victims into paying up.

Telemedicine Providers Targeted

A variety of methods are used to gain access to healthcare networks, including remote access technologies such as VPNs and Remote Desktop Protocol (RDP) and exploiting unpatched vulnerabilities, with phishing a leading attack vector. One of the latest phishing tactics to be adopted is to target healthcare providers that offer telemedicine services, especially those offering consultations with patients over the Internet. One new tactic that has proven to be successful is for the threat actor to impersonate a new patient and send the healthcare provider a booby-trapped file that appears to be a copy of their medical records. The ransomware gang assumes that prior to the appointment, the doctor will open the file to check the patient’s records, and will install malware that will provide access to their device.

One of the biggest problems for ransomware gangs is getting paid. When ransomware first started to be extensively used, files were encrypted, and payment needed to be made to recover files. Companies that followed best practices for data backups would be able to recover their files without paying the ransom. To increase the probability of payment being made, ransomware gangs started engaging in double extortion tactics, where sensitive data is exfiltrated prior to file encryption and threats are issued to leak the data if payment is not made. Even if backups exist, payment is often made to prevent the release of the stolen data. However, this tactic is no longer as successful as it once was. Coveware reports that fewer victims are paying the ransom demand, even when data is stolen.

Triple Extortion Tactics Adopted

Some ransomware gangs have started using triple extortion tactics to pile more pressure on victims to pay up. There have been several attacks on healthcare organizations where triple extortion tactics have been used. Triple extortion can take several different forms, such as contacting individual patients using the contact information in the stolen data to try to extort money from them. The REvil ransomware gang, now believed to be the operator of BlackCat ransomware, started calling the clients of victims or the media, tipping them off about the attack. Some gangs have also conducted Distributed Denial of Service (DDoS) attacks on victims that refuse to pay up, with LockBit starting to demand payment to return the stolen data in addition to paying for the decryptor and to prevent the data being leaked.

Brian Krebs of Krebs on Security, recently reported on another new tactic that was uncovered by Alex Holden, founder of the cybersecurity firm Hold Security. Holden gained access to discussions between members of two ransomware operations: Clop and Venus that are known to target healthcare organizations (See the HC3 alerts about Venus and Clop ransomware).

The Clop ransomware gang has adopted a tactic for attacks on healthcare organizations that involves sending malicious files disguised as ultrasound images to physicians and nurses, and they are one of the gangs that have started targeting healthcare providers that offer online consultations.  One message between gang members that Holden was able to access indicates the gang has had success with this tactic. It involves a request for an online consultation from a patient with cirrhosis of the liver. They chose cirrhosis of the liver as they determined it would be likely that a doctor would be able to diagnose the condition from an ultrasound scan and other medical test data that they claim is attached to the email.

Framing Executives for Insider Trading

Holden explained that discussions amongst members of the Venus gang suggest they are struggling to get paid, which has led them to try a new method to pressure victims into paying up. They have been attempting to frame executives of public companies by editing email inboxes to make it appear that the executives have been engaging in insider trading. In at least one attack this proved successful. Messages were inserted that discussed plans to trade large volumes of the company’s stock based on non-public information.

Holden said one of the messages sent by the Venus gang said, “We imitate correspondence of the [CEO] with a certain insider who shares financial reports of his companies through which your victim allegedly trades in the stock market, which naturally is a criminal offense and — according to US federal laws [includes the possibility of up to] 20 years in prison.”

Holden explained that implanting messages into inboxes is not easy but it is possible for a ransomware actor with access to Outlook .pst files, which an attacker would likely have if they compromised the victims’ network. Holden said the implanting of emails may not stand up to forensic analysis, but it may still be enough to cause a scandal and risks reputation loss, which may be enough to get the victim to pay up.

Defenses Against Ransomware Attacks

The tactics, techniques, and procedures used by ransomware gangs are constantly changing, and with fewer victims paying ransoms, ransomware gangs are increasingly likely to opt for more aggressive tactics. Healthcare organizations should keep up to date on the latest threat intelligence, monitor for attacks using published indicators of compromise (IoCs), and implement the recommended mitigations.  To keep options open, it is vital to maintain offline backups and use the recommended 3-2-1 backup strategy – Make three backup copies (1 primary and two copies), store those backups on at least two different media, with one of those copies stored securely offsite. It is also important to prepare for an attack and develop and regularly test an incident response plan, with the tabletop exercises including members of all teams that will be involved in the breach response. Organizations that have a tested incident response plan recover from ransomware attacks more quickly and incur lower costs.

The post Ransomware Gangs Adopt New Tactics to Attack Victims and Increase Likelihood of Payment appeared first on HIPAA Journal.

The Health Sector Cybersecurity Coordination Center (HC3) has released analyses of two ransomware variants that are being used in attacks on the healthcare sector: LockBit 3.0 and BlackCat.

LockBit 3.0

LockBit ransomware was first detected in September 2019 when it was known as ABCD ransomware. Over the past three years, the ransomware has been continuously improved and updated, and it is now one of the most prolific ransomware families. In 2022, more attacks have been conducted using LockBit ransomware than any other ransomware variant. The cybercriminal group behind LockBit runs a highly professional ransomware-as-a-service (RaaS) operation with a strong affiliate program, which has helped the group stay ahead of its competitors. In a first for a ransomware operation, the release of LockBit 3.0 in June 2022 also saw the launch of a bug bounty program, where security researchers are encouraged to identify vulnerabilities to help the gang improve its operation, for which the group claims it will pay anywhere from $1,000 to $1 million. The ransomware has many anti-analysis features, including requiring a unique 32-character password to be entered each time it is launched.

LockBit 3.0 has most of the same functions as LockBit 2.0, and has code similar to DarkSide and BlackMatter ransomware. It uses the same code as BlackMatter to resolve its needed API functions, the same method for identifying logical drives, and similar debugging features. Functions that are shared include the ability to send ransom notes to networked printers, delete Volume Shadow Copies, and obtain the victim’s operating system. The latest version of the ransomware has worm capabilities and can spread throughout the network with no human interaction. Once deployed, the ransomware will try to download several post-exploitation tools such as Mimikatz for credential theft, and the penetration testing software, Cobalt Strike and Metasploit.

LockBit uses double extortion tactics, first exfiltrating data and then encrypting files, with threats issued to leak victims’ data if the ransom is not paid. Data is exfiltrated using a malware called StealBit, which automates the process. Following the release of LockBit 3.0, the gang has engaged in triple extortion tactics, where in addition to payment for the decryptor and to prevent a data leak, the victim is told they need to pay a fee to buy back their data. Ransom demands vary, with some attacks seeing ransom demands of millions of dollars. Initial access is gained using a variety of methods, including phishing, RDP compromise and credential abuse, and exploiting vulnerabilities in VPN servers and other known vulnerabilities.

BlackCat

BlackCat ransomware is a newer ransomware variant that was first detected in November 2021. The threat actors behind this ransomware are highly capable and are believed to have significant experience and extensive relationships with some of the most significant players in the cybercriminal world, such as FIN12 and FIN7 (Carbon Spider). The ransomware is also one of the most technically sophisticated variants in use, which allows it to be used in attacks on a wide range of corporate targets.

The ransomware is entirely command-line driven and human-operated and is able to use several different encryption routines. It is capable of being programmed for full file encryption, fast (partial) encryption, and DotPattern and SmartPattern encryption, with the latter two benefiting from both strength and speed. The ransomware can self-propagate, delete Volume Shadow Copies, and terminate commercial backup software and other services and processes that protect against file encryption. The ransomware will also render hypervisors ineffective to prevent analysis.

BlackCat ransomware has been used in several attacks on the healthcare sector, with the operation known to target pharmaceutical companies and pharmaceutical manufacturers. Like LockBit, multiple methods are used to gain initial access to victims’ networks, including phishing, exploiting known vulnerabilities, compromising remote access technologies such as RDP and VPNs, and distributed attacks, including supply chain and managed service provider compromise.

The ransomware is highly customizable and relies heavily on internally-developed capabilities, which are constantly evolving. Like LockBit, the group runs a professional RaaS operation, which is one of the most sophisticated of any ransomware actor. Several security researchers believe BlackCat to be the successor to REvil, Darkside, and BlackMatter ransomware. The capabilities of the threat actors and the sophisticated nature of the ransomware itself and the RaaS operation make BlackCat ransomware a significant threat.

The post HC3 Shares Analyses of LockBit 3.0 and BlackCat Ransomware appeared first on HIPAA Journal.