Well, folks… it’s that scary time of year once again. No, not Halloween. It may be October, but in this blog, we won’t be talking about ghouls and goblins. Nope. As you may already know, October is also Cybersecurity Awareness Month. And there are scarier things out there to worry about than those imaginary monsters in your closet.
Strangely enough, though perhaps not surprisingly, October usually tends to be a pretty bad month for cyberattacks… especially for those in healthcare. We’re barely at the halfway point and already the news is full of cases related to serious data breaches and ransomware attacks crippling healthcare facilities both large and small. This shouldn’t be much of a shock, of course, considering that for years healthcare has continued to be one of the worst-performing and most heavily-targeted sectors when it comes to cyberattacks.
We’ve already talked at length on this blog about methods for dealing with cyberattacks. So, if you are interested in educating yourself or brushing up, we highly recommend checking out our various Security & Data Management blogs. Instead of just rehashing the same old stuff, we are going to look at some of the more recent ransomware groups and threats targeting healthcare and examine the chaos and damage they can cause.
Small Clinics are Being Targeted by Ransomware
Back at the start of the COVID-19 pandemic in 2020, hospitals become a major target for ransomware attacks. However, hospitals have started catching up over the last year, offering better security training to their staff and improving their cybersecurity methods. As a result, hospitals are no longer seen as the easy targets they once were. This has forced bad actors to change tactics, and many cybercrime groups are now targeting smaller clinics with ransomware attacks.
This means that it is more important than ever for specialty practices to be vigilant when it comes to keeping an eye out for ransomware delivery vectors such as phishing emails and business email compromise (BEC) attacks. This year, there are two new main ransomware variants/groups that are wreaking the most havoc—Hive and LockBit—and you need to be aware of both.
The Hive Ransomware Group
Just last month, the FBI issued a red alert regarding a new ransomware group known as Hive. In the alert, the FBI warned that this group was using multiple TTPs (tactics, techniques, and procedures) to attack various networks. Like many ransomware groups, Hive’s most frequent attack vector comes in the form of phishing lures.
We’ve talked a lot about phishing on this blog in the past, so we won’t go into too much detail here. The basic gist is that they send a spoofed email that looks legitimate but contains either a link or attachment loaded with ransomware. In this case, they are using two malicious scripts—hive.bat and shadow.bat—that then exfiltrate, encrypt, and lock the data of the infected network.
Once the network is locked, users are left with a screen that only displays a ransom note with a URL and instructions on how to pay the ransom and acquire the decryption key. As always, the FBI is encouraging people to stop paying ransoms, as doing so only encourages such attacks to continue. For our purposes, we do not advise practices on whether or not to pay ransoms, as we feel that is a decision best left to the individual.
LockBit Ransomware Group
Just this week, the cybersecurity arm of HHS, the Health Sector Cybersecurity Coordination Center (usually just known as HC3, since the full name is a bit of a mouthful) released a threat brief that specifically warned businesses in the healthcare sector to be on the lookout for attacks using the LockBit Ransomware variant.
LockBit first reared its ugly head back in September of 2019. Back then, folks were calling it the “.abcd virus,” in reference to a file extension name that was used by the ransomware to encrypt files. Since that time, its use has become far more frequent. Perhaps the scariest thing about LockBit is that it appears to be even more effective and dangerous than the Ryuk Ransomware we warned readers about around this same time last year, which had the ability to disable a multiple antivirus software programs and spread itself throughout the entire system before locking everything down.
LockBit is a bit like Ryuk on steroids, you might say. Whereas Ryuk still needed human actors to gain access via phishing and spend time in the network in order to deploy it, LockBit is completely self-spreading. Once downloaded, it performs the entire attack on its own, quietly and automatically stealing, encrypting, and locking all data. Once it completes the lockdown, desktop backgrounds on all network machines will display a message that reads, “All your files are encrypted by LockBit,” with instructions to access a file left behind to explain how to pay the ransom and acquire the decryption key.
Like Hive, LockBit also seems to be specific to a particular group of hackers. This group has claimed to be specifically targeting organizations in the US and EU that are part of the healthcare, education, and social services sectors. They are also employing what is known as “double extortion,” meaning that not paying the ransom risks more than just a loss of data. This tactic uses the threat that, if the ransom is not paid, all data will be sold or leaked online. Obviously, for those in healthcare who are bound by HIPAA rules, this could become very costly and potentially result in thousands of HIPAA violations.
Be Aware of Ransomware this October
As always, your best weapon is being vigilant and skeptical. Don’t click on anything unless you are 100 percent certain it comes from a legitimate source. Be suspicious of any email that is unexpected or uses an urgent tone. If necessary, pick up the phone and verify with the sender.
Remember, it’s Cybersecurity Awareness Month. So, get out there and be aware!
To discover how a cloud-based EHR and Practice Management system can help your practice better manage data security while minimizing ransomware risks, fill out this form and a member of our team will contact you soon!