Data extortion attempts signal new era for ransomware tactics

Such attempts are up 580% since the start of the COVID-19 pandemic, and healthcare is a major target, a new Crowdstrike report shows.
By Mike Miliard
05:09 PM

Ransomware has become a fact of life for healthcare organizations over the past half decade or so, but bad actors' techniques continue to evolve in dangerous new directions – with more and more organizations being targeted not just with encryption but with data extortion attempts.

WHY IT MATTERS
That's according to a report from Crowdstrike, which counted 97 healthcare organizations victimized by ransomware attacks using extortion in 2020. Healthcare is the fifth most targeted sector for extortion attempts worldwide, according to the cybersecurity firm.

"This is up 580% compared to pre-pandemic times (Q1 2020), despite Big Game Hunters – threat actors who target bigger, more secure targets for larger ransoms – such as TWISTED SPIDER claiming they would refrain from infecting medical organizations until the pandemic had stabilized," according to Crowdstrike.

Instead, however, researchers note that the hacker group "was responsible for at least 26 successful healthcare ransomware infections with their Maze and Egregor families. This is the highest out of any Big Game Hunter. In total, 18 Big Game Hunters infected 104 healthcare organizations last year."

In early 2020, as countries worldwide declared public health emergencies, a growing trend in ransomware actors targeting countries’ healthcare organizations began to form. Hackers aimed to gain access to sensitive information relating to COVID-19 positive cases and scientific research into possible treatments.

Interestingly, given that healthcare is widely seen as one of the most targeted industries, when it comes to extortion attempts, it's No. 5 on Crowdstrike's list, behind industrials and engineering (229 incidents), manufacturing (228), technology (145) and retail (142).

"It’s clear data extortion has become the most lucrative ransomware method used by cybercriminals worldwide, and the COVID-19 pandemic has certainly accelerated this shift," said Crowdstrike researchers.

THE LARGER TREND
In recent months, multiple hospitals and health systems have been reported to have been targeted with similar attacks.

In February, cybercriminals gained access to troves of patient data – names, addresses, diagnoses – from Miami-based Leon Medical Centers and Nocona General Hospital in Texas and posted it to the dark web.

And just this week, Gallup, New Mexico-based Rehoboth McKinley Christian Health Care Services found its own data – reportedly including job applications, background check authorizations and Social Security numbers – posted online in another apparent extortion attempt.

We spoke recently with Caleb Barlow, CEO of cybersecurity firm CynergisTek, who said these techniques represent a troubling new trend. Garden variety ransomware is bad enough, but this "double extortion" represents an upping of the stakes, he said, with the bad guys now making new promises: "You need to pay me. If you're not going to pay the ransom, I'm going to extort you."

There is help out there, however. MITRE this week launched its new Ransomware Resource Center, which offers free tools for hospitals and healthcare organizations to help them "better prepare for, respond to and recover from ransomware attacks."

ON THE RECORD
"Data extortion is a tried-and-true tactic, and even the act of combining data extortion with a ransomware operation is not new to 2020 – OUTLAW SPIDER first employed this tactic in May 2019," said Crowdstrike researchers in its recent 2021 Global Threat Report.

"What marks a departure from previous [Big Game Hunter] operations is the accelerated adoption of the data extortion technique and the introduction of dedicated leak sites associated with specific ransomware families. These approaches were adopted by at least 23 ransomware operators in 2020."

Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com

Healthcare IT News is a publication of HIMSS Media

More regional news

John Fowler deputy information security officer Henry Ford Health System

John Fowler, deputy information security officer at Henry Ford Health System 
(Credit: Henry Ford Health System)

By
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.