Ransomware Attackers Exfiltrate Data From Magellan HealthAnother Example of How Cybercriminals' Tactics Are Changing
Magellan Health, a U.S. managed care company that focuses on specialty areas of healthcare, says it was hit by a ransomware attack that involved the exfiltration of certain employee data.
Ransomware gangs are increasingly going beyond encrypting data, stealing information to put more pressure on victims to pay ransoms.
In another recent example, shipping giant Toll Group said Tuesday that it suffered a ransomware attack that involved stealing corporate data.
"Organizations that could recover from these [ransomware] attacks without resorting to a ransom payment could avoid the stigma of public disclosure. Attackers recognized this and started exfiltrating data as a component of their attack in an effort to publicly shame those companies into paying," says Clyde Hewitt, executive adviser at CynergisTek. "This tactic largely worked - it is difficult to refute that [data] was accessed inappropriately when it appears on the dark web" (see: More Ransomware Gangs Join Data-Leaking Cult.)
Some experts predict increasingly disruptive cyberattacks will continue.
"I believe you are seeing the evolution into an even more dangerous and chaotic attack scheme against healthcare providers, government institutions and other business entities where ransomware is no longer the genesis of a cyberattack but just another tool in what I have referred to as the 'disruptionware' toolkit," says forensics expert and retired FBI agent Jason G. Weiss, an attorney at the law firm Faegre Drinker Biddle & Reath LLP.
"Disruptionware not only has the ability to release ransomware attacks as one its many malicious tools, but disruptionware can also torment its victims in other ways, such as attacking the victim's infrastructure in an attempt to literally and physically shut down the victim business."
Security experts advise organizations to take critical steps to avoid becoming a victim of data exfiltration incidents, including implementing multifactor authentication and implementing solutions that can detect unusual behavior.
Corporate Network Targeted
Scottsdale, Arizona-based Magellan Health announced on Tuesday that it discovered on April 11 that it was targeted by "a criminal ransomware attack" on its corporate network that resulted in a temporary systems outage and the exfiltration of confidential company and personal information of an undisclosed number of individuals.
"The unauthorized actor gained access to Magellan's systems after sending a phishing email on April 6 that impersonated a Magellan client," the company says in a statement.
A third-party forensics investigation revealed that prior to the launch of the ransomware, "the unauthorized actor exfiltrated a subset of data from a single Magellan corporate server, which included some personal information," the statement notes.
"In limited instances, and only with respect to certain current employees, the unauthorized actor also used a piece of malware designed to steal login credentials and passwords. At this point, we are not aware of any fraud or misuse of any of personal information as a result of this incident."
The exfiltrated records include names, addresses, employee ID numbers, and W-2 or 1099 details, such as Social Security numbers or Taxpayer ID numbers, Magellan says. In some cases, it also may also include usernames and passwords.
A Magellan spokeswoman declined to respond to Information Security Media Group's request for additional details, including the total number of individuals impacted, whether any patients' protected health information was compromised, the type of ransomware involved, and whether a ransom was demanded or paid.
In a statement provided to ISMG, the company says: "Unfortunately, these sorts of attacks are increasingly common. We take the safety, security, and reliability of our operations and services with the utmost seriousness. We have taken a number of additional measures to further strengthen our security policies and protocols. We are aggressively investigating this matter and will continue to provide updates to those impacted as the investigation continues."
Magellan also notes that it has reported the incident to law enforcement authorities, including the FBI.
Steps to Take
So how can organizations prevent exfiltration of their data by ransomware gangs?
"The best defense against having data exfiltrated during an attack is to prevent the attack," Hewitt says.
Many cyber incidents start either with a phishing campaign or brute force, such as password spraying, he notes. "Implementing multifactor authentication is the number one defensive tool. The second step is educating the workforce, then conducting frequent phishing tests to identify the high-risk populations."
Organizations also should identify all vendors that have access to their networks, then assess the security maturity of those vendors, Hewitt says. "Integrate those same vendors into the incident response plans," he says.
He also advises entities to "implement solutions that can detect unusual behavior, in near real time, and alert staff who can disable access. Also, consider the use of geolocation tools to identify abnormal activities, especially with file transfers."
Healthcare entities and other organizations involved in COVID-19 response - and especially research - are increasingly attractive targets for ransomware attacks and other security incidents.
The FBI and Department of Homeland Security on Wednesday issued a warning that hacking groups linked to China's government are targeting research and healthcare facilities that are working on developing vaccines, testing procedures and treatments for COVID-19 (see US Say China-Linked Hackers Targeting COVID-19 Researchers)
"COVID-19, at least for now, is changing all the typical rules," says Weiss, the attorney. "There are literally billions, if not trillions of dollars involved in the support of the U.S. and the global economy in a search for a 'cure' for this pandemic. This has made COVID-19 medical research facilities target number one for cybercriminals looking to find and steal whatever information they can in global race to find a successful vaccine. "
To guard against attacks, Weiss advises organizations to "first and foremost, keep your COVID-19 research off the internet. Use isolated networks with no internet connectivity so you can prevent outside attacks. Firewalls are only as valuable as the people who configure them. No cyber defense is full proof except not having connectivity in the first place."
Organizations also must be extremely diligent about preventing insider attacks, Weiss says. For example, these can involve employees "who have either been co-opted or have sold out to the highest bidder in an attempt to make money from cybercriminals looking for someone on 'the inside' to help steal data from these types or research facilities."