At Least 41 Healthcare Providers Experienced Ransomware Attacks in the First Half of 2020

Share this article on:

The New Zealand-based cybersecurity firm Emsisoft has released ransomware statistics for 2020 that show there have been at least 41 successful ransomware attacks on hospitals and other healthcare providers in the first half of the year.

There were 128 successful ransomware attacks on federal and state entities, healthcare providers, and educational institutions in the first 6 months of 2020, with the healthcare industry accounting for 32% of those attacks.

The large number of ransomware attacks in 2020 follows on from a spike in attacks in late 2019. 2019 saw more than double the number of ransomware attacks as 2018, attacks on healthcare providers increased by 350% in the final quarter of 2019. 966 entities were successfully attacked with ransomware across all industry sectors in 2019 and those attacks are estimated to have cost $7.5 billion.

2020 started badly for the healthcare industry with 10 successful ransomware attacks on healthcare providers in January, followed by a further 16 successful ransomware attacks in February. There was a marked decrease in attacks in March as COVID-19 spread throughout the United States. Three successful ransomware attacks were reported by healthcare providers in March and April and a further 4 attacks in May. While it is certainly good news that the number of successful attacks has declined as the year has progressed, the figures do not indicate any lowering of risk. The number of successful attacks has declined, but the number of attempted attacks has remained fairly constant. Emsisoft has predicted an increase in ransomware attacks on healthcare providers over the summer, as often happens at this time of year. Employees are also starting to return to the office. Ransomware attacks decreased as the COVID-19 pandemic hit the United States, but Emsisoft has started to see attacks increase once again.

One in Ten Ransomware Attacks See Data Stolen Prior to Encryption

Several threat actors are now conducting double extortion attacks, where data is stolen before the ransomware payload is deployed. The Maze ransomware gang was the first to start stealing data and issuing threats to publish the files if the ransom is not paid. The gang followed through on the threat and started publishing data on its website in November 2019. Several other ransomware gangs have also adopted similar tactics, including REvil/Sodinokibi, DoppelPaymer, and NetWalker.

With these groups, ransomware is often deployed many days, weeks, or even months after the initial system breach. During that time, the attackers move laterally to gain access to as many devices as possible and then time their attacks to cause maximum disruption. It is likely that several healthcare providers have already had their systems compromised, but the ransomware has not yet been deployed.

These prolific ransomware gangs have concentrated their attacks on entities in sectors that have the most to lose from the publication or sale of their data, including legal firms, healthcare providers, and firms in the financial sector. These attacks often make headline news, but they only account for around 1 in 10 successful ransomware attacks. From January 1, 2020 to June 30, 2020, ID Ransomware received 100,001 submissions about ransomware attacks and only around 11% – 11,642 submissions – involved ransomware variants used by groups known to steal data prior to encrypting files.

Emsisoft notes however that while several ransomware gangs alert the victim to the theft of their data to increase the probability of the ransom being paid, other ransomware gangs are likely to covertly steal data.

“All ransomware groups have the ability to exfiltrate data. While some groups overtly steal data and use the threat of its release as additional leverage to extort payment, other groups likely covertly steal it,” explained Emsisoft. While groups that steal covertly may not exfiltrate as much data as groups seeking to use it as leverage, they may well extract any data that has an obvious and significant market value or which can be used to attack other organizations.”

Ransomware Prevention and Damage Limitation

As long as ransomware attacks remain profitable and relatively low risk, the attacks will continue. Healthcare organizations therefore need to take steps to improve their defenses against attacks. To prevent attacks and limit the harm caused if they are successful, Emsisoft recommends healthcare organizations should patch promptly, limit admin rights, use multi-factor authentication, disable PowerShell when not needed, use web and email filtering, segment the network, and disable RDP if it is not being used… and lock it down if it is. Employees should be provided with regular security awareness training and all vendors that have access to healthcare systems should be audited to make sure they are adhering to best practices.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On