Fraud Management & Cybercrime , Ransomware

Analysis: Top Ransomware Gangs Targeting Healthcare Sector

HHS Says Several Factors Making Healthcare a Favorite Target in U.S., Globally
Analysis: Top Ransomware Gangs Targeting Healthcare Sector

Ransomware attacks are continuing to threaten the U.S. and global healthcare sectors, in part due to many entities' high dependency on legacy systems and lack of security resources, says new analysis by the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center.

See Also: Every Second Counts: 6-Step Ransomware Remediation Guide

By analyzing ransomware activity in the U.S. and global healthcare sectors during the third quarter – from July 1 to Sept. 30 – HC3 says it identified ten major ransomware groups affecting organizations, with the Conti ransomware group being the most active in the U.S. and globally.

In total, HC3 tracked 68 ransomware incidents affecting healthcare organizations worldwide occurring during the quarter. Of those, about 63%, or about 42 incidents, impacted the U.S. health sector while 37%, or about 26 incidents, affected healthcare organizations outside the U.S., HC3 says.

The HC3 analysis was based on a sample of ransomware incidents derived from a variety of sources, including news reports, ransomware data leak sites, and information shared by federal agencies. However, the findings do not necessarily encompass all ransomware incidents that affected healthcare entities in the quarter, as many go unreported, HC3 notes.

Leading Trends

The top countries impacted by ransomware incidents in the health sector outside the U.S. included France, Brazil, Thailand, Australia, and Italy, the report notes.

In the U.S., the states experiencing the most ransomware incidents involving healthcare sector entities included California, Florida, Illinois, Michigan, Texas, Arizona, Indiana, Maryland, New York, and Georgia, HC3 says.

Within the healthcare sector, health and medical clinics continue to be the most frequently affected group, followed by healthcare industry services firms and hospitals.

Gang Activity

For the most part, the top ten ransomware groups targeting U.S. healthcare organizations were similar to global findings, with a few exceptions, HC3 notes.

For instance, while Conti was the most common group targeting healthcare sector entities in and outside the U.S., Avaddon ransomware-as-a-service groups was the second most common type attackers observed targeting the health sector globally. Avaddon was only identified as affecting one U.S. healthcare organization in the third quarter, HC3 notes.

In the U.S., the second most active group targeting the healthcare sector in the third quarter was REvil/Sodinokibi, followed by Hive, HC3 says.

The Hive ransomware group claimed attacks on four healthcare entities all located in the U.S., including hospitals and medical centers, HC3 says.

Both the Hive and Vice Society ransomware groups surfaced in June 2021, "following a trend of ransomware groups rebranding in attempts to evade law enforcement and takedown efforts," HC3 notes.

REvil recently began resuming operations, after going dark for a while in July. The reason for the operation going quiet isn't known. Speculation has ranged from administrators deciding to lay low after the White House announced a crackdown, or deciding to take a time out to regroup, after law enforcement authorities obtained the ability to decrypt any file previously crypto-locked by REvil. (See: Bad News: Innovative REvil Ransomware Operation Back).

Several other groups also went dark in July, including DarkSide, which had attacked U.S.-based Colonial Pipeline and Babuk, which hit the Metropolitan Police Department of Washington, D.C., as well as Avaddon (see Fear Likely Drove Adaddon's Exit from Ransomware Fray).

"Ransomware remains a major threat to the health sector worldwide, with many healthcare organizations operating legacy technology with limited security resources," HC3 says, adding that it expects these trends will likely to continue through the end of 2021.

HC3 predicts that Hive ransomware operators are likely to continue to target healthcare organizations specifically in the U.S., while the Vice Society ransomware group is likely to continue to target the health sector both in the U.S. and abroad.

Top Gangs

Globally, HC3 says the top ransomware groups impacting healthcare organizations in the third quarter in order were: Conti; Avaddon; REvil/Sodinokibi; Clop; Pysa; Astro; Doppel/Paymer; Hive; LockBit; and Raganork.

HC3 says the top ransomware groups targeting healthcare sector entities in the U.S. in the third quarter were:

  • Conti
  • REvil/Sodinokibi
  • Hive
  • Pysa
  • Clop
  • Groove
  • Ryuk
  • Vice Society

"The threat landscape is constantly evolving, with affiliates often working with multiple gangs and the gangs themselves constantly rebranding - sometimes when they attract too much attention, and sometimes in an effort to skirt OFAC sanctions," says threat analyst Brett Callow of the security firm Emsisoft.

"Seeing both Hive and Pysa on the top ten list is concerning as coding problems mean both can cause permanent data loss, even when the demand is paid. In a medical environment, this could have serious, and perhaps even life-threatening, consequences," he notes.

CHIME Survey

Meanwhile, in the U.S., more than two-thirds of healthcare CISOs surveyed said their organizations experienced a data security incident within the last 12 months, according to a report issued Monday by the College of Healthcare Information Management Executives and its subgroup, the Association for Executives in Healthcare Information Security, whose 5,000 members include healthcare CIOs and CISOs.

Almost half of the 60 CISOs who took part in the survey reported that their entities experienced a phishing email or business email compromise. Almost 30% said they organizations had faced a system or electronic health record outage.

Also, 15% of the CISOs reported a patient safety incident tied to a cyber event, and 10% said their organizations needed to divert patients to another care setting due to a security incident. (See: Patient Safety Concerns Group Over Medical Gear Security).

"It is clear that healthcare providers will need several tools in their arsenal to fight an ever-escalating and complex battle that is being brought directly to their doorstep and threatens their delivery of patient care,” said Will Long, AEHIS advisory board chair in a statement. “More resources, education, and ongoing support for our sector are needed.”

Uphill Climb

The healthcare industry has been slowly improving its overall cyber-defenses and security posture, "but at times it seems like we are always a day late and a dollar short," says retired supervisory FBI agent Jason G. Weiss, an attorney at law firm Faegre Drinker Biddle & Reath LLP.

"During my 22 years in the FBI, the mantra we tried to use was 'action beats reaction,' and at this point, the healthcare industry is still in a 'reaction' stage, so it is hard to prevent real time and zero-day attacks," he notes.

"Well over 50% of all cyberattacks against the healthcare start with phishing attacks. That is where the real defenses have to start. Stop successful phishing attacks and this will greatly slow the ransomware attacks."

In the meantime, the surge in ransomware attacks targeting healthcare sector entities in the U.S. and globally will continue, experts warn.

"These attacks are easy, effective and a real money maker for the established ransomware gangs and other criminal syndicate groups," Weiss says.

The ransomware-as-a-service model with affiliate franchise groups "provide step by step instructions on how to use their illegal software and have now exponentially expanded the attack environment against healthcare providers worldwide," he says.

Callow offers a similar assessment. "Unless diplomatic or law enforcement efforts have a rapid and significant impact, it’s unlikely that the ransomware landscape will be very different in 2022," he says.

"Unfortunately, that means healthcare providers will continue to be bombarded with financially-motivated, disruptive cyberattacks that put patients’ lives at risk. "

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.