Emerging Ransomware Groups Disproportionately Attack Healthcare Organizations
Ransomware activity almost doubled in 2023 according to the annual GuidePoint Research and Intelligence Team (GRIT) Ransomware Report. The GRIT team identified 4,519 victims of ransomware attacks in 2023 up from 2,507 in 2022. The United States was the most targeted country accounting for 49% of attacks, with 8 out of the 10 most impacted countries located in North America or Europe. On average, 12.4 victims were posted on data leak sites each day in 2023, an 80.1% increase in public postings from 2022. While the increase was largely driven by mass exploitation campaigns, these attacks only accounted for 5% of total victims in 2023, showing there was also a significant increase in ransomware activity overall.
The main ransomware players in 2023 were LockBit, Alphv, and Clop, with LockBit by far the most active, having conducted more attacks than Alphv and Clop combined. These established groups conducted 85% of attacks and used well-defined tactics. They are also drivers of innovation and tactical change across the ransomware ecosystem with emerging and developing groups tending to copy the new tactics developed by the established groups to improve the effectiveness and efficiency of their attacks. The more established groups are more likely to exploit critical and high-severity vulnerabilities as it provides them with a reliable way of exploiting victims at scale, as was seen with Clop in 2023, which exploited zero-day vulnerabilities in two file transfer solutions Fortra’s GoAnywhere MFT and Progress Software’s MOVEit Transfer solution.
These groups may conduct the majority of attacks, but there were another 60 smaller ransomware groups that were active in 2023. Emerging and developing ransomware groups are much more likely to target healthcare organizations than established groups. Historically, healthcare has been considered off-limits for some ransomware programs due to the negative press coverage and extra attention from law enforcement agencies, although established groups increased the number of attacks on healthcare organizations in 2023. Attacks on the sector may also increase further in 2024. AlphV claimed not to permit attacks on the sector but removed the restrictions for affiliates following the law enforcement takedown of its data leak site late last year.
With fewer victims paying ransoms, ransomware groups have been forced to develop new tactics to coerce victims. The BlogXX group, which attacked an Australian health insurer in late 2022, proceeded to leak patient data when the ransom wasn’t paid, including lists of patients who had abortion procedures and mental health treatment. AlphV similarly chose to pile on the pressure by publishing photographs of cancer patients. ALphV also started filing complaints with the U.S. Securities and Exchange Commission (SEC) about omissions and misstatements in victims’ SEC filings and the failure to report attacks within the required 4 days. The were also multiple cases of patients being contacted directly by ransomware groups and told they needed to pay to have their data deleted after their healthcare provider refused to pay the ransom.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The GRIT Team expects 2024 will see an increase in posted ransomware victims and an increase in novel coercive tactics, but no change in law enforcement takedowns and arrests. G9overnents and law enforcement agencies are expected to increase efforts to discourage the payment of ransom but it is unlikely that there will be significant movement on banning ransom payments altogether.
