SpiderLabs Blog

Healthcare Threat Landscape 2022-2023: Common TTPs Used by Top Ransomware Groups Targeting the Healthcare Sector

Written by Serhii Melnyk , Greg Monson | Jul 27, 2023 6:28:00 AM

The healthcare sector has been under constant threat from cybercriminals due to the sensitive nature of patient data and the valuable information held by healthcare providers. This blog analyzes the ransomware landscape for the healthcare sector for the years 2022-2023.

This report uses data compiled for the recently released Trustwave SpiderLabs research: Cybersecurity in the Healthcare Industry: Actionable Intelligence for an Active Threat Landscape report.

Based on current trends and emerging risks, this report will explore the common TTPs used by the most prevalent ransomware groups, including distribution methods, ways to bypass security measures, and techniques for maximizing impact and disruption. By prioritizing their efforts to defend against ransomware attacks, healthcare organizations can help mitigate the significant risks and potential harm posed by this persistent and evolving threat.

Introduction

The healthcare sector faces unique challenges when it comes to ransomware. Healthcare providers are entrusted with sensitive patient data, which makes them a prime target for ransomware gangs seeking to steal this information for financial gain or other nefarious purposes. In addition, the highly regulated nature of the healthcare industry and the complexity of healthcare systems pose unique challenges in terms of implementing and maintaining robust cybersecurity measures.

The healthcare sector remains an attractive ransomware target to a wide range of malicious actors with various motivations:

  • Financially motivated actors may seek to steal patient data or launch ransomware attacks for financial gain, while insiders may target healthcare organizations for the same reason. At present, ransomware attacks have been more impactful on the healthcare sector compared to other types of less organized or sophisticated cybercrime, such as botnets or the re-use and re-sale of patient health information (PHI). However, it is important to note that these attacks and activities can still have significant consequences for healthcare providers and their patients. For example, the re-use and re-sale of PHI can lead to identity theft, fraud, and other forms of financial loss for patients, as well as reputational damage for healthcare providers. Additionally, botnets and other less sophisticated cybercrime tactics can still be used to compromise healthcare systems and steal data, which attackers can use for further criminal activity.
  • Furthermore, while ransomware attacks may be more visible and impactful in the short term, the long-term effects of other types of cybercrime may be more insidious and harder to detect. For example, the exposure of PHI can lead to ongoing identity theft and fraud that can persist for years. As Coveware’s latest report states, the healthcare sector remained the most heavily targeted industry for ransomware attacks, accounting for 30% of all incidents. This research suggests that ransomware threat actors are still actively targeting healthcare providers and may be adapting their tactics to bypass improved security measures and backups. The report highlights that the average ransom demand for healthcare organizations has increased, indicating that ransomware actors are becoming more aggressive in their attacks and extortion tactics, seeking larger pay-outs.
  • While medical software remains less attractive to nation-states attackers as some other types of critical infrastructure, the healthcare sector is still a significant target for espionage-related attacks. Espionage-oriented actors may target healthcare organizations for political or economic gain, using tactics such as wipers/ransomware-like attacks or cyber sabotage to disrupt healthcare services. Healthcare organizations possess a vast amount of sensitive patient data, intellectual property related to medical research, and other confidential information that can be of interest to nation-state APT groups. Additionally, the healthcare sector is critical to the functioning of society and is therefore an attractive target for those seeking to cause disruption or harm. As of now, we assess that attackers may not spend as much time or resources developing tailored malware or TTPs for the healthcare sector (in comparison to ICS/OT/SCADA environments, for example), they may still use a variety of “applied to all” tactics to compromise healthcare organizations, including social engineering, phishing, and exploiting vulnerabilities in software and hardware. Moreover, attackers may seek to compromise healthcare providers indirectly by targeting medical supply chains and vendors, as we have seen in recent attacks. This allows attackers to gain access to healthcare systems and data without directly targeting medical software. Although medical software may not be as unique of a target as other types of critical infrastructure, the healthcare sector is still a high-value target for espionage-related attacks, and healthcare providers must remain vigilant against these threats.
  • While the healthcare sector remains vulnerable to various types of cyberattacks, ransomware continues to be the most significant threat to the sector, with recent reports indicating the industry is still the most heavily targeted for such attacks. Compared to other types of cybercrime, ransomware attacks have been more impactful, causing significant disruption and financial losses for healthcare providers and patients.

Ransomware

Ransomware has become an increasingly popular choice for threat actors due to its lower barrier to entry compared to other forms of malware. Previously, executing a ransomware attack required years of development, penetration testing experience, and cryptography, while the profits were only moderate. However, Ransomware-as-a-Service (RaaS) programs have now proliferated on illicit and underground web forums, making it easy and inexpensive for threat actors to partner with ransomware authors. These programs are highly developed, complete with user dashboards, guides, and technical support, and the payoff is growing. With the automation of advanced penetration testing tools (like Cobalt Strike, Brute Ratel, DeimosC2, Metasploit, etc.) and the increased availability of corporate network access through illicit communities, access to corporations has become more available, and ransomware demands are getting higher and more profitable. Ransomware's integration with data exfiltration allows for even higher ransoms by threatening the potential risk of legal action against the victim corporation. Therefore, ransomware is becoming increasingly influential and more destructive.

It is crucial for healthcare organizations to focus on understanding the tactics, techniques, and procedures (TTPs) of the most prevalent ransomware groups targeting the industry. By doing so, organizations can better defend themselves against ransomware attacks and protect their valuable data and critical infrastructure.

Evolution of Ransomware

Ransomware has been evolving since the late 1980s, with the first known ransomware attack occurring in 1989. However, it wasn't until the mid-2000s that ransomware started to become a significant threat, with the emergence of malware families like Gpcode and TROJ_RANSOM.A. These early ransomware attacks were relatively unsophisticated, relying on simple encryption to lock victims out of their files. Over time, ransomware attacks became more sophisticated, with the use of more advanced encryption techniques and the introduction of "police-themed" ransomware that claimed to be from law enforcement agencies. These attacks often demanded payment in the form of prepaid debit cards rather than Bitcoin. In 2013, the emergence of the CryptoLocker ransomware marked a significant shift in the ransomware landscape, as it introduced public key cryptography to encrypt files, making it much more difficult for victims to recover their data without paying the ransom. This practice also marked the beginning of the trend of ransomware operators demanding increasingly large sums of money from their victims. Since then, ransomware has continued to evolve, with the emergence of new families of ransomware such as Locky, WannaCry, and Petya/NotPetya. These newer variants often have advanced features such as worm-like capabilities that allow them to spread rapidly across networks and the use of advanced evasion techniques to avoid detection by security solutions.

Ransomware attacks can be divided into five evolutionary stages:

  • The first generation of ransomware attacks emerged in 1989, known as the "AIDS Trojan," which spread via floppy disks and encrypted file names, demanding a ransom payment of $189.
  • The second generation of ransomware attacks emerged in the mid-2000s, when attackers utilized social engineering tactics such as fake antivirus software and email phishing scams to distribute their ransomware.
  • The third generation of ransomware attacks emerged in 2012, when attackers introduced more sophisticated encryption algorithms and anonymous payment methods such as Bitcoin.
  • The fourth generation of ransomware attacks emerged in 2016, when attackers began using advanced tactics such as exploiting vulnerabilities in software and using sophisticated social engineering techniques to evade detection.
  • The fifth generation of ransomware attacks emerged in 2019, when attackers began using "double extortion" tactics, which involved stealing sensitive data before encrypting it and demanding a ransom payment for its return.

Ransomware attacks on the healthcare sector have also evolved significantly over the years. Initially, ransomware attacks were mostly opportunistic and untargeted, with attackers spreading ransomware indiscriminately through spam emails and exploit kits. However, in recent years, ransomware attacks have become increasingly targeted and sophisticated, with attackers conducting reconnaissance to identify vulnerable targets and focusing on high-value systems and data. Healthcare organizations are an attractive target for ransomware attackers due to the sensitive and critical nature of the data they store, as well as the potential for significant financial pay-outs.

Attackers have also been known to take advantage of healthcare organizations outdated or inadequate cybersecurity measures and the high value placed on maintaining availability of critical systems. Double-extortion tactics, in which attackers not only encrypt the victim's data but also threaten to publicly release it if the ransom is not paid, have become increasingly common in ransomware attacks on the healthcare sector. Additionally, attackers have begun to use more advanced and stealthy techniques, such as living-off-the-land (LOTL) attacks and file less malware, to evade detection by traditional security measures. Ransomware attacks on the healthcare sector have become more targeted, sophisticated, and damaging over time.

Methodology

For this blog, we first identified the most prevalent ransomware groups that targeted the healthcare sector. We then used our ransomware profiles to gather each group’s assigned TTPs and combined them in the MITRE ATT&CK® navigator. Based on victimology, we evaluated the top five ransomware groups and assigned a value to each of the TTPs used. We identified overlaps and determined which TTPs were most frequently employed. A TTP that all five used is shown in red, while a TTP that was unique to a single ransomware group is denoted in a specifically assigned color.

Figure 1: This image depicts the MITRE ATT&CK® TTPs for the most prevalent ransomware groups targeting the healthcare industry (TTP overlaps in red), while images below are showing TTPs of those groups separately.

 

TA0001 – Initial Access
T1190 Exploit Public-Facing Application
T1133 External Remote Services
T1566 Phishing
T1078 Valid Accounts
TA0002 - Execution
T1059 Command and Scripting Interpreter
TA0003 – Persistence
T1543 Create or Modify System Process
T1133 External Remote Services
T1574 Hijack Execution Flow
T1078 Valid Accounts
TA0004 Privilege Escalation
T1543 Create or Modify System Process
T1484 Domain Policy Modification
T1068 Exploitation for Privilege Escalation
T1574 Hijack Execution Flow
T1055 Process Injection
T1078 Valid Accounts
TA0005 – Defense Evasion
T1140 Deobfuscate/Decode Files or Information
T1484 Domain Policy Modification
T1574 Hijack Execution Flow
T1562 Impair Defences
T1070 Indicator Removal
T1112 Modify Registry
T1055 Process Injection
T1218 System Binary Proxy Execution
T1078 Valid Accounts
TA0007 - Discovery
T1087 Account Discovery
T1083 File and Directory Discovery
T1135 Network Share Discovery
T1069 Permission Groups Discovery
T1018 Remote System Discovery
T1082 System Information Discovery
TA0008 – Lateral Movement
T1570 Lateral Tool Transfer
T1021 Remote Services
TA0009 - Collection
T1005 Data from Local System
TA0011 – Command and Control
T1071 Application Layer Protocol
T1105 Ingress Tool Transfer
T1572 Protocol Tunnelling
TA0010 – Exfiltration
T1567 Exfiltration Over Web Service
TA0040 – Impact
T1486 Data Encrypted for Impact
T1490 Inhibit System Recovery
T1489 Service Stop

Figure 2: This image depicts LockBit 3.0 MITRE ATT&CK® TTPs

TA0001 – Initial Access
T1189 Drive-by Compromise
T1190 Exploit Public-Facing Application
T1133 External Remote Services
T1566 Phishing
T1078 Valid Accounts
T1078.002 Valid Accounts – Domain Accounts
TA0002 - Execution
T1059  Command and Scripting Interpreter
T1072 Software Deployment Tools
T1569 System Services
T1569.002 System Services – Service Execution
T1047 Windows Management Instrumentation
TA0003 – Persistence
T1547 Boot or Logon AutoStart Execution
T1136 Create Account
T1133 External Remote Services
T1078 Valid Accounts
TA0004 Privilege Escalation
T1547 Boot or Logon AutoStart Execution
T1078 Valid Accounts
TA0005 – Defense Evasion
T1480 Execution Guardrails
T1480.001 Execution Guardrails – Environmental Keyring
T1070 Indicator Removal
T1070.004 Indicator Removal – File Deletion 
T1027 Obfuscated Files or Information
T1078 Valid Accounts
TA0006 – Credential Access
T1003 OS Credential Dumping
T1003.001 OS Credential Dumping – LSASS Memory
TA0007 - Discovery
T1046 Network Service Discovery
T1082 System Information Discovery
T1614 System Location Discovery
T1614.001 System Location Discovery – System Language Discovery
TA0008 – Lateral Movement
T1021 Remote Services
T1021.001 Remote Services – Remote Desktop Protocol
T1072 Software Deployment Tools
TA0011 – Command and Control
T1071 Application Layer Protocol
T1071.002 Application Layer Protocol – File Transfer Protocols
T1572 Protocol Tunneling
TA0010 – Exfiltration
T1048 Exfiltration Over Alternative Protocol
T1567 Exfiltration Over Web Service
T1567.002 Exfiltration Over Web Service – Exfiltration to Cloud Storage
TA0040 – Impact
T1485 Data Destruction
T1486 Data Encrypted for Impact
T1491 Defacement
T1491.001 Defacement – Internal Defacement
T1490 Inhibit System Recovery
T1489 Service Stop

Figure 3: This image depicts ALPHV/BlackCat MITRE ATT&CK® TTPs

TA0043 - Reconnaissance
T1589.001 Gather Victim Identity Information - Credentials
TA0042 – Resource Development
T1587.001 Develop Capabilities – Malware
T1588.002 Obtain Capabilities - Tool
TA0001 – Initial Access
T1190 Exploit Public-Facing Application
T1078 Valid Accounts
T1078.002 Valid Accounts – Domain Accounts
TA0002 - Execution
T1059  Command and Scripting Interpreter
T1059.003 Command and Scripting Interpreter – Windows Command Shell
TA0003 – Persistence
T1078 Valid Accounts
TA0004 Privilege Escalation
T1548 Abuse Elevation Control Mechanism
T1548.002 Abuse Elevation Control Mechanism – Bypass User Account Control
T1055 Process Injection
T1078 Valid Accounts
TA0005 – Defense Evasion
T1548 Abuse Elevation Control Mechanism
T1222 File and Directory Permissions Modification
T1222.001 File and Directory Permissions Modification – Windows File and Directory Permissions Modification
T1562.001 Impair Defences – Disable or Modify Tools
T1562.009 Impair Defences – Safe Mode Boot
T1070.001 Indicator Removal – Clear Windows Event Logs
T1055 Process Injection
T1078 Valid Accounts
TA0006 – Credential Access
T1003.001 OS Credential Dumping – LSASS Memory
TA0007 - Discovery
T1087 Account Discovery
T1087.002 Account Discovery – Domain Account
T1083 File and Directory Discovery
T1135 Network Share Discovery
T1069 Permission Groups Discovery
T1057 Process Discovery
T1012 Query Registry
T1018 Remote System Discovery
T1016 System Network Configuration Discovery
TA0008 – Lateral Movement
T1570 Lateral Tool Transfer
T1021.002 Remote Services – SMB/Windows Admin Shares
TA0011 – Command and Control
T1071 Application Layer Protocol
T1071.001 Application Layer Protocol – Web Protocols
TA0010 – Exfiltration
T1048 Exfiltration Over Alternative Protocol
T1567 Exfiltration Over Web Service
TA0040 – Impact
T1486 Data Encrypted for Impact
T1491.001 Defacement – Internal Defacement
T1490 Inhibit System Recovery
T1489 Service Stop

Figure 4: This image depicts Cl0p MITRE ATT&CK® TTPs

TA0001 – Initial Access
T1190 Exploit Public-Facing Application
T1566 Phishing
T1566.001 Phishing – Spearphishing Attachment
T1078 Valid Accounts
TA0002 - Execution
T1059 Command and Scripting Interpreter
T1059.003 Command and Scripting Interpreter – Windows Command Shell
T1106 Native API
T1204 User Execution
TA0003 – Persistence
T1547 Boot or Logon AutoStart Execution
T1543 Create or Modify System Process
T1543.003 Create or Modify System Process – Windows Service
T1546 Event Triggered Execution
T1546.004 Event Triggered Execution – Unix Shell Configuration Modification
T1574 Hijack Execution Flow
T1078 Valid Accounts
TA0004 Privilege Escalation
T1547 Boot or Logon AutoStart Execution
T1543 Create or Modify System Process
T1484 Domain Policy Modification
T1484.001 Domain Policy Modification – Group Policy Modification
T1546 Event Triggered Execution
T1546.004 Event Triggered Execution – Unix Shell Configuration Modification
T1068 Exploitation for Privilege Escalation
T1574 Hijack Execution Flow
T1055 Process Injection
T1078 Valid Accounts
TA0005 – Defense Evasion
T1140 Deobfuscate/Decode Files or Information
T1484 Domain Policy Modification
T1222 File and Directory Permissions Modification
T1222.002 File and Directory Permissions Modification – Linux and Mac File and Directory Permissions Modification
T1574 Hijack Execution Flow
T1562 Impair Defences
T1562.001 Impair Defences – Disable or Modify Tools
T1070 Indicator Removal
T1070.001 Indicator Removal – Clear Windows Event Logs
T1070.004 Indicator Removal – File Deletion
T1202 Indirect Command Execution
T1036 Masquerading
T1036.001 Masquerading – Invalid Code Signature
T1112 Modify Registry
T1027 Obfuscated Files or Information
T1027.002 Obfuscated Files or Information – Software Packing
T1055 Process Injection
T1055.001 Process Injection – Dynamic-link Library Injection
T1553 Subvert Trust Controls
T1553.002 Subvert Trust Controls – Code Signing
T1218 System Binary Proxy Execution
T1218.007 System Binary Proxy Execution - Msiexec
T1078 Valid Accounts
T1497 Virtualization/Sandbox Evasion
TA0007 - Discovery
T1083 File and Directory Discovery
T1135 Network Share Discovery
T1057 Process Discovery
T1012 Query Registry
T1018 Remote System Discovery
T1518 Software Discovery
T1082 System Information Discovery
T1614 System Location Discovery
T1497 Virtualization/Sandbox Evasion
TA0008 – Lateral Movement
T1570 Lateral Tool Transfer
T1021 Remote Services
T1021.002 Remote Services – SMB/Windows Admin Shares
TA0009 - Collection
T1005 Data from Local System
T1114 Email Collection
TA0011 – Command and Control
T1071 Application Layer Protocol
T1105 Ingress Tool Transfer
TA0010 – Exfiltration
T1567 Exfiltration Over Web Service
TA0040 – Impact
T1486 Data Encrypted for Impact
T1490 Inhibit System Recovery
T1489 Service Stop

Figure 5: This image depicts BlackBasta MITRE ATT&CK® TTPs

TA0001 – Initial Access
T1566 Phishing
T1566.001 Phishing – Spearphishing Attachment
T1566.002 Phishing – Spearphishing Link
T1078 Valid Accounts 
TA0002 - Execution
T1059  Command and Scripting Interpreter
T1059.001 Command and Scripting Interpreter – PowerShell
T1053 Scheduled Task/Job
T1569 System Services
T1569.002 System Services – Service Execution
T1204.001 User Execution – Malicious Link
T1047 Windows Management Instrumentation
TA0003 – Persistence
T1098 Account Manipulation
T1136 Create Account
T1543 Create or Modify System Process
T1574 Hijack Execution Flow
T1053 Scheduled Tasks/Job
T1078 Valid Accounts
TA0004 Privilege Escalation
T1543 Create or Modify System Process
T1543.003 Create or Modify System Process – Windows Service
T1484 Domain Policy Modification
T1068 Exploitation for Privilege Escalation
T1574 Hijack Execution Flow
T1574.001 Hijack Execution Flow – DLL Search Order Hijacking
T1055 Process Injection
T1053 Scheduled Task/Job
T1078 Valid Accounts
TA0005 – Defense Evasion
T1622 Debugger Evasion
T1140 Deobfuscate/Decode Files or Information
T1484 Domain Policy Modification
T1484.001 Domain Policy Modification – Group Policy Modification
T1574 Hijack Execution Flow
T1562 Impair Defences
T1562.001 Impair Defences – Disable or Modify Tools
T1562.009 Impair Defences – Safe Mode Boot
T1070 Indicator Removal
T1070.004 Indicator Removal – File Deletion
T1112 Modify Registry
T1055 Process Injection
T1055.012 Process Injection – Process Hollowing
T1620 Reflective Code Loading
T1218 System Binary Proxy Execution
T1218.010 System Binary Proxy Execution – Regsvr32
T1218.011 System Binary Proxy Execution – Rundll32
T1078 Valid Accounts
TA0006 – Credential Access
T1555 Credentials from Password Stores
T1555.003 Credentials from Password Stores – Credentials from Web Browsers
T1003 OS Credential Dumping
TA0007 - Discovery
T1087 Account Discovery
T1087.002 Account Discovery – Domain Account
T1010 Application Window Discovery
T1622 Debugger Evasion
T1482 Domain Trust Discovery
T1083 File and Directory Discovery
T1135 Network Share Discovery
T1018 Remote System Discovery
T1082 System Information Discovery
T1049 System Network Connections Discovery
T1033 System Owner/User Discovery
TA0008 – Lateral Movement
T1570 Lateral Tool Transfer
T1021 Remote Services
T1021.001 Remote Services – Remote Desktop Protocol
TA0009 - Collection
T1560 Archive Collected Data
T1560.001 Archive Collected Data – Archive via Utility
T1005 Data from Local System
TA0011 – Command and Control
T1071 Application Layer Protocol
T1573 Encrypted Channel
T1572 Protocol Tunnelling
T1090 Proxy
T1219 Remote Access Software
TA0010 – Exfiltration
T1041 Exfiltration Over C2 Channel
T1567 Exfiltration Over Web Service
T1567.002 Exfiltration Over Web Service – Exfiltration to Cloud Storage
TA0040 – Impact
T1486 Data Encrypted for Impact
T1491.001 Defacement – Internal Defacement
T1490 Inhibit System Recovery
T1489 Service Stop

Figure 6: This image depicts Royal MITRE ATT&CK® TTPs

TA0001 – Initial Access
T1190 Exploit Public-Facing Application
T1133 External Remote Services
T1566 Phishing
T1566.001 Phishing – Spearphishing Attachment
T1566.002 Phishing – Spearphishing Link
T1078 Valid Accounts
TA0002 - Execution
T1059 Command and Scripting Interpreter
TA0003 – Persistence
T1133 External Remote Services
T1078 Valid Accounts
TA0004 Privilege Escalation
T1484 Domain Policy Modification
T1078 Valid Accounts
T1078.002 Valid Accounts – Domain Accounts
TA0005 – Defense Evasion
T1484 Domain Policy Modification
T1484.001 Domain Policy Modification – Group Policy Modification
T1562 Impair Defences
T1562.001 Impair Defences – Disable or Modify Tools
T1070 Indicator Removal
T1070.001 Indicator Removal – Clear Windows Event Logs
T1112 Modify Registry
T1078 Valid Accounts
TA0007 - Discovery
T1069 Permission Groups Discovery
T1069.002 Permission Groups Discovery – Domain Groups
T1018 Remote System Discovery
TA0008 – Lateral Movement
T1570 Lateral Tool Transfer
T1021 Remote Services
T1021.001 Remote Services – Remote Desktop Protocol
TA0009 - Collection
T1119 Automated Collection
TA0011 – Command and Control
T1105 Ingress Tool Transfer
T1095 Non-Application Layer Protocol
T1572 Protocol Tunnelling
TA0010 – Exfiltration
T1567 Exfiltration Over Web Service
TA0040 – Impact
T1486 Data Encrypted for Impact
T1490 Inhibit System Recovery

Top 5 TTPs

Ransomware groups are using a wide range of MITRE ATT&CK® TTPs, as shown in Figure 1. We observed Phishing, Valid Accounts, Remote Services and Data Encrypted for Impact, to be among the most utilized / shared TTPs by all five ransomware groups within the healthcare sector. The following section will discuss these most common TTPs following the MITRE methodology.

Phishing (T1566)

We observed all five reported ransomware groups relying on phishing. Phishing (T1566) is a commonly used tactic in ransomware operations against healthcare organizations. Attackers use social engineering techniques to trick employees into clicking on malicious links or downloading malicious attachments. These phishing emails often impersonate a trusted entity or contain urgent language to increase the likelihood of a successful attack.

LockBit ransomware uses phishing emails to deliver their malware to healthcare organizations. In one instance, LockBit targeted a large healthcare provider in the United States by sending a phishing email that appeared to be from the company's HR department. The email contained a malicious attachment that, when opened, installed the LockBit ransomware on the victim's system. Similarly, the BlackCat ransomware group has been observed using phishing emails to distribute their malware. In one attack on a healthcare provider, the group sent a phishing email that appeared to be from a trusted vendor. The email contained a malicious attachment that, when opened, installed the BlackCat ransomware on the victim's system.

The BlackBasta ransomware group has also been known to use phishing emails to deliver their malware. In one instance, the group sent a phishing email that appeared to be from a legitimate shipping company. The email contained a malicious attachment that, when opened, installed the BlackBasta ransomware on the victim's system. Cl0p ransomware has also used phishing emails to distribute its malware. In one instance, the group sent a phishing email that appeared to be from a trusted financial institution. The email contained a link to a fake login page that, when accessed, installed the Cl0p ransomware on the victim's system. Finally, the Royal ransomware group has been known to use phishing emails to deliver their malware to healthcare organizations. In one attack, the group sent a phishing email that appeared to be from a legitimate software vendor. The email contained a malicious attachment that, when opened, installed the Royal ransomware on the victim's system.

Valid Accounts (T1078)

Valid Accounts is another common attack vector ransomware groups use to infiltrate healthcare organizations. This tactic involves using legitimate credentials, such as stolen or weak passwords, to gain access to the organization's network and systems. Once inside, the attacker can move laterally and escalate privileges to gain greater access and control over the target environment. The use of valid accounts is particularly effective in healthcare settings, where access to sensitive patient data is necessary for employees to perform their job functions. Attackers can exploit this reliance on access by using stolen credentials to move freely within the network undetected. Here are some examples of ransomware attacks on healthcare organizations that leveraged valid accounts as an attack vector:

  • LockBit: In a recent attack against a US healthcare provider, an attacker used LockBit ransomware to encrypt the organization's data. The attackers reportedly gained access to the network using valid credentials, which they likely obtained through a previous phishing attack.
  • BlackCat: This ransomware group is known to use a combination of phishing and stolen credentials to gain access to healthcare networks. In a recent attack on a Canadian healthcare organization, BlackCat used stolen remote desktop credentials to access the network and deploy its ransomware.
  • Cl0p: This ransomware group also uses valid accounts to infiltrate healthcare organizations. In a recent attack on a large medical diagnostics company, Cl0p used stolen credentials to gain access to the network and deploy its ransomware.
  • Royal: This ransomware group has been active since at least 2019 and has targeted healthcare organizations in the US and Europe. In a recent attack on a US healthcare provider, Royal ransomware was used to encrypt the organization's data. The attackers gained access to the network using stolen credentials.

Ransomware groups often use valid accounts as an attack vector to infiltrate healthcare organizations. This tactic allows them to move laterally within the network undetected and gain access to sensitive patient data.

Remote Services (T1021)

Remote Services (T1021) is a commonly used tactic by ransomware groups targeting healthcare organizations. Specifically, Remote Desktop Protocol (RDP) (T1021.001) is frequently utilized as a means of gaining initial access to a victim’s network. RDP allows remote access to a desktop or server and if not configured securely, can be vulnerable to brute force attacks, credential stuffing, or exploitation of known vulnerabilities. There have been reports of various ransomware groups, including LockBit, BlackCat, BlackBasta, Cl0p, and Royal ransomware, using Remote Services (T1021) and Remote Desktop Protocol (T1021.001) TTPs to target the healthcare sector.

Here are a few examples:

  • In August 2021, LockBit ransomware targeted a US-based healthcare organization, impacting multiple systems and data. The attack was reportedly initiated through the exploitation of Remote Desktop Protocol (RDP) credentials. The attackers encrypted more than 7TB of data and demanded a $70 million ransom.
  • In September 2021, BlackCat ransomware targeted a US-based healthcare provider, gaining access through RDP and exfiltrating sensitive patient data before encrypting the network. The attackers demanded a $1.8 million ransom in exchange for the decryption key.
  • In November 2021, BlackBasta ransomware targeted a European hospital, infecting the network through RDP. The attackers demanded a 700,000 euros ransom in exchange for the decryption key.
  • In May 2021, the Cl0p ransomware group targeted a major healthcare provider in Ireland, gaining access through RDP and encrypting critical systems and data. The attackers demanded a $20 million ransom in exchange for the decryption key.
  • In January 2022, Royal ransomware targeted a US-based healthcare provider, infiltrating the network through RDP and encrypting multiple systems and data. The attackers demanded a $500,000 ransom in exchange for the decryption key.

Service Stop (T1489)

Service Stop is a tactic used by ransomware attackers to disable services on a victim's system, often as a prelude to encrypting files. This tactic helps to ensure that critical services, such as backups or security software, cannot detect or prevent the attack. There have been several reported attacks on the healthcare sector by ransomware groups where the attackers have used Service Stop (T1489) as a tactic to facilitate their attacks. Some of the notable examples include:

  • LockBit ransomware: In a recent attack on the Irish healthcare system, LockBit ransomware was observed using Service Stop (T1489) to terminate various services and processes, including the Windows Update service, antivirus software, and backup applications.
  • BlackCat ransomware: In an attack on the US-based health insurer, Excellus BlueCross BlueShield, BlackCat ransomware was observed using Service Stop (T1489) to terminate the backup processes and services, making it difficult for the victim to recover their data without paying the ransom.
  • BlackBasta ransomware: In a recent attack on the French healthcare group, Ramsay Santé, BlackBasta ransomware was observed using Service Stop (T1489) to terminate various services and processes, including the antivirus software, making it easier for the ransomware to encrypt files undetected.
  • Cl0p ransomware: In an attack on the healthcare provider Accellion, Cl0p ransomware was observed using Service Stop (T1489) to terminate the file transfer service, making it difficult for the victim to transfer files without paying the ransom.
  • Royal ransomware: In an attack on the Canadian government's health department, Royal ransomware was observed using Service Stop (T1489) to terminate various services and processes, including the backup software, making it difficult for the victim to recover their data without paying the ransom.

Data Encrypted for Impact (DEI) (T1486)

We observed all selected ransomware groups using DEI. This makes sense since DEI is the main objective for ransomware operations. T1486 involves encrypting a significant amount of sensitive or critical data to render it unreadable or inaccessible to authorized users. The attackers aim to disrupt regular business operations, cause financial harm to the victim, and prevent access to system or network resources. They expect the victim organization to pay the ransom to regain access to their data. During the reconnaissance phase, ransomware groups identify valuable data to encrypt and add pressure to victims by threatening to leak the content if the demanded ransom is not paid.

Assessment & Forecast

Over the past year, ransomware attacks have posed a significant threat to the healthcare industry, and the most prominent among them has been LockBit 3.0. This trend could be attributed to LockBit's global dominance, as it has more than double the number of attacks of any other group in 2022 and 2023. Although the US appears to be the most affected country, it is crucial to recognize that attackers are not limited by geography and will exploit any vulnerable organization that can provide them with financial gain.

For example, ransomware attacks have also become a major concern for organizations in the former Soviet Union. Although many ransomware groups making headlines today tend to operate outside of the Commonwealth of Independent States (CIS), businesses in this region still face a significant threat from dozens of lesser-known groups. Just as they do in the US, Europe, and other regions, ransomware groups targeting the former Soviet Union countries are also known to use a range of techniques to gain access to networks and systems, including phishing emails, brute force attacks, and exploiting vulnerabilities in outdated software. Furthermore, some of these attacks have been attributed to state-sponsored actors seeking to disrupt or steal sensitive information from organizations in the region. These attacks may have broader geopolitical implications beyond financial gain and can be part of wider cyber espionage campaigns.

The healthcare sector will likely continue to be targeted by ransomware attacks and the frequency of these attacks will increase in 2023 and onward. Attackers will likely continue to use various MITRE TTPs to execute successful attacks and may collaborate with malware groups to obtain more sophisticated payloads. Attackers have strong financial incentives to continue targeting healthcare organizations, and they are constantly adapting their attack methods to stay ahead of defences. This often involves using multiple attack vectors, including double extortion.

While the technical details of these attacks may evolve over time, the underlying tactics are likely to remain consistent. Traditional infection vectors such as phishing, exploitation of known vulnerabilities (particularly in open-source software), and compromise of managed service providers are all still relevant threats. As a result, preventative measures remain the best defence against all types of cyberattacks.

As for initial access methods, our observations suggest healthcare organizations should particularly focus on enhancing security measures for remote services. These measures include implementing multi-factor authentication and restricting internet access to remote services. Additionally, healthcare organizations should maintain a regular schedule for patching, testing, and vulnerability scanning, particularly for VPNs and RDP services.

The cybercriminal ecosystem is constantly evolving in response to feedback on the effectiveness of attacks. Still, it's important to recognize that “traditional” infection vectors within healthcare will continue to be leveraged. This will include tactics such as exploiting remote access technologies (e.g., RDP-based technologies and VPNs) and known vulnerabilities. Healthcare organizations should therefore remain vigilant and up to date with technical indicators to stay ahead of these evolving threats.