Healthcare ransomware environment worsens, Beazley warns

In the first quarter of 2019, the number of ransomware attack notifications received by Beazley Breach Services doubled, compared with the same quarter last year.

Not only has the frequency of attacks skyrocketed, but attackers are shifting focus by targeting larger organizations and demanding higher ransom payments.

In 2015 and 2016, ransomware was a significant threat, but it was more of a commodity—many attackers were still unsophisticated, so they were asking for what today would be considered modest ransom demands to return control of information systems, says Brett Anderson, breach response services manager at data security firm Beazley Breach.

Now, they are smarter and more sophisticated, he warns. These attackers know how to tap into a system, capture the keylogger and steal credentials and money.

In the healthcare industry attackers are finding success using Ryuk, a variant of ransomware, used to infiltrate networks and targeting all backups, with some hospitals paying hundreds of thousands of dollars to get their data back.

Also See: Why bots pose an increasing challenge to healthcare organizations

Healthcare organizations also have to beware of “banking” Trojans, which are malicious programs used in an attempt to obtain confidential information about customers and clients using online banking and payment systems, according to Anderson.

“Although banking Trojans are not new, having first hit Beazley’s radar in 2015, they are increasingly problematic for businesses,” he explains. “Originally designed to steal banking credentials from users of online banking websites, recent variants of banking Trojans such as Emotet and Trickbot have been used by criminals to harvest all kinds of account details.”

Anderson-Brett-CROP.jpg

Like many information security professionals, Anderson strongly recommends provider organizations participate in Patch Tuesday, a never-missed time on the second and fourth Tuesday to go through networks and find operating systems that need patching, particularly systems that are no longer supported but keep running and doing their tasks. “Every organization with Windows should be patching on Tuesday,” he emphasizes.

Courtesy of Beazley, below is the journey of a banking Trojan:

* A phishing email appears in the user’s inbox. Often, it will use stolen logos and design from a trusted financial institution or technology company. The email may simulate an alert about account activity and direct the victim to a fake web page or request urgent review of a Microsoft Office or PDF attachment.

* Once the user clicks, a macro will launch to install or download additional malware and untrained users will click to enable macros to run if the IT department has not disabled the capability.

* After installation, banking Trojans are adept at disguising themselves and establishing persistence.

*Once one machine is infected, banking Trojans spread quickly through the network. They will harvest any network credentials possible and use them to attack other systems on the network. They exploit unpatched Microsoft Server Message Block vulnerabilities (like those involved in the spread of the WannaCry virus), and harvest any personal credentials entered or stored on the system.

* Stolen credentials aren’t the only risk. Once established on an endpoint or network, the Trojan can download other, more damaging malware.

For reprint and licensing requests for this article, click here.