Ransomware Targeting the Healthcare and Public Health Sector

The Cybersecurity & Infrastructure Security Agency (CISA), FBI, and Department of Human Health Services (HHS) have recently released a joint advisory about ransomware targeting the public health sector. Among these include U.S. hospitals and healthcare providers.

The attack utilizes ransomware such as Trickbot, Ryuk, and BazarLoader to conduct ransomware attacks, data theft, and to otherwise disrupt ongoing healthcare services. These attacks are especially problematic as they disrupt healthcare providers during an ongoing global pandemic.

While the joint advisory provides more technical detail and means of identifying signs of a breach, this article will summarize the issue and supply additional suggestions on how better to protect your organization.

Threat Details

The cybercriminals behind TrickBot and BazarLoader have continued to develop new functionality and tools that make it easier and increasingly more profitable to target organizations. These loaders are often spread through phishing campaigns that either contain links to websites that host the malware or attachments.

Loaders start the infection chain by deploying and executing a backdoor and installing it on the target’s machine.

The phishing emails, often personalized to the target and disguised as routine correspondence that requires attention, usually come from a commercial mass email delivery service and contain a link to a Google Drive document or PDF files controlled by the actor. The document will fail to render a preview and contains a link to a URL hosting the malware payload.

Once a loader has been installed on the target’s computer, a backdoor is open for a ransomware attack such as Ryuk. Attackers using the ransomware steal credentials and map the network to understand the environment and scope of the infection.

The attackers utilize native tools such as PowerShell, Windows Remote Management, and Remote Desktop Protocol (RDP) to avoid detection and move laterally throughout the network.

The malware then encrypts the user’s files and attempts to delete any backups stored in the environment, as well as any Volume Shadow Copies, which are automatic backup snapshots made by Windows.

Attackers will also attempt to shut down and uninstall any security applications that would prevent the ransomware’s execution.

Security touches every part of every organization — be proactive and protect your critical systems.

Mitigating Risks and Attacks 

Healthcare and public health organizations should establish and maintain updated business continuity plans to minimize the impact of potential service interruptions.  

We’ve put together a list of suggestions and best practices regarding network configuration, ransomware, and other suggestions to keep healthcare environments safe. 

Network Best Practices 

•  Maintain and deploy patches for systems, software, and firmware as soon as they become available.
•  Regularly check configurations for machines and users across the network. Make sure local users have the administrative permissions to respond to locally based issues.
•  Use multi-factor authentication (MFA) where possible to prevent unauthorized logins.
•  Remove or deactivate any unused remote desktop protocol (RDP). Continue to monitor this feature and how it’s being accessed.
•  Regularly audit which users have administrative privileges. Grant administrative power with the least privilege necessary for a user to do their job. Be sure to audit the legitimacy of any new users created in the network.
•  Regularly back up critical assets such as patient database servers, medical records, and any infrastructure related to telehealth and telework. It’s important to keep at least one backup of these assets on a separate network or even offline.
•  Proper network segmentation will prevent threat actors from accessing assets across the entire environment.

Ransomware Best Practices 

•  Paying the ransom to retrieve compromised data isn’t recommended, as payment doesn’t necessarily guarantee file recovery. 
•  Establish a recovery plan to maintain and retain copies of sensitive or proprietary data. These copies should be kept in a physically separate and secure location from other parts of the organization.
•  Alongside backups, “gold image” of critical systems should be maintained. These are copies of systems that can be used in the event that it needs to be rebuilt from scratch. Gold images often include a pre-configured operating system (OS), and associated applications to run and maintain that system.
•  The security team should maintain a ransomware response checklist so employees know quickly what to do if suspicious activity has been detected, or a breach has been identified.

Security Awareness Training 

•  Maintain security awareness training for employees across the organization. This is especially important for this ransomware attack since end users are the primary target. 
•  Employees should be aware of security best practices, as well as any relevant emerging threats that they may encounter.
•  Part of security awareness training should also inform employees to their points of contact, should they find anything suspicious.

Incident Management and Business Continuity 

•  Establish an incident response plan to respond to suspicious activity and incidents. Responding quickly and effectively can contain a potential attack and minimize the impact of services. 
•  business continuity plan will identify the core systems and critical assets for your service, making it easier to establish policies, procedures, and technology around maintaining them. Integrate any findings with your risk management system and risk register, to see which changes have been done and which critical systems still need attention. 
•  Create a plan of action for what the organization will do in the event of critical systems being in accessible for extended periods of time, including using physical records, a plan for re-routing patients quickly, and coordinating with local healthcare facilities for additional support. 


The 
key to responding to ransomware incidents is to be prepared and have a plan of action. Know which systems and assets are critical to providing your services and prioritize their maintenance and protection. 

Learn more about the ransomware details in the joint cybersecurity advisory.