How Human-Operated Ransomware Attacks Are Targeting Healthcare Organizations

With experience in sysadmin functions, malicious bad actors are taking advantage of common misconfigurations in network security, probing defenses, and adapting to what is revealed. Lately it has been observed that human adversaries are sometimes spending months stealing and adding credentials and leaving indiscernible footprints that enable  lateral movement in compromised networks. They are not hit-and-run operations breaking in, encrypting data, and making immediate ransom demands.

Small, everyday detection alerts that seem easy to dismiss, may be signs of a compromised network being probed by someone already hacked into the network learning what the threshold is for scrutiny. These long-game invasions aren’t always concerned about stealth. By utilizing built-in local administrator accounts, common account names, or even service accounts of known vendors, these bad actors may be moving around freely without attracting attention.

It may be the devastating ransomware news story that gets attention, but what you’re not hearing is how things got to that point. While exploring network vulnerabilities, these human adversaries may utilize single machines for other purposes, as recently observed: sending a short burst of SPAM email or having an internal machine complete a network scan for other vulnerabilities in a matter of seconds. In other words, many of these ransomware attacks are patiently waiting for the best opportunity to exploit a found vulnerability.

Healthcare organizations (HCOs) are the second most popular target behind financial institutions because of the payoff amounts attackers can get when successful. And HCOs spend far fewer dollars on cybersecurity than the financial sector.

The #1 defense against ransomware is having an excellent data backup and recovery system. The reason ransomware works is that it denies access to or alters essential enterprise or patient data. If you have a copy of that data which is not locked or altered and a procedure to quickly restore it, you have your way out of the data prison. Sure, an adversary could also threaten to release captured data to prove a compromised system, but this is different from a ransomware attack that stops patient care or hospital operations. It doesn’t mean you should not also be taking other steps to reduce data risk, but you can’t get locked out of your house for long if you keep a spare copy of the keys somewhere safe.

The human factor is highly impactful in preventing cybersecurity failures. Kaspersky conducted a survey among healthcare workers and found that 32% had never received cybersecurity training from their workplace. Additionally 10% of managers weren’t aware of a cybersecurity policy.

Some of the most vulnerable attack vectors right now are through VPN and remote access connections. HCOs have far less experience in managing remote access than other systems. Flaws in the newer crop of remote access products leave even more vulnerabilities and therefore opportunities ripe for exploitation. This is another reason why completing initial risk assessments and conducting re-assessments with product updates is essential. You can’t easily guard against things of which you are not even aware. Even established remote access like Citrix have been shown to include vulnerabilities. Our advice for combating ransomware threats starts with robust backup and recovery systems. Train all staff on cybersecurity policies and conduct awareness training  to minimize threats even beyond ransomware. And keep risk assessments up-to-date for 100% technology vendors, especially as those products change. Awareness is essential to know where and when to act. For a deep dive into the strategy of human-operated ransomware attacks, we recommend reading Microsoft’s report on prevention.

More Censinet News

Digital Marketing Manager

Censinet is the leading provider of healthcare IT risk solutions. Censinet RiskOps, our software-as-a-service platform, helps the top healthcare providers in the United States work with their worldwide vendor and supplier community to ensure that health information is protected and continuous... READ MORE
Healthcare Investments Image

Investing in Healthcare Cybersecurity in 2022

As 2021 comes to an end, Healthcare IT leaders begin to prepare and discuss their organization’s investment plans for the upcoming year. As an industry, the increasing number of healthcare data breaches and cyberattacks have (1) highlighted the need for better patient, data, and supply chain... READ MORE

Log4j: Meet the new zero-day, same as the old zero-day

What is the Log4j issue? The Apache Log4j 2 utility is a commonly used service component for logging requests for audit and review purposes. Log4J, written in Java, supports many projects, including multiple cloud services and various open-source and commercial enterprise products.  On December 9,... READ MORE

Discover What You Can Do

Discover What You Can Do

Let's chat about your priorities, what your process is like today, areas that you want to improve, and any gaps you would like to close. Learn More