The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Healthcare Industry Most Commonly Attacked with Downloaders and Ransomware

Posted By on Jan 26, 2023

Blackberry has recently published its Global Threat Intelligence Report, which provides actionable and contextualized intelligence that can be used to improve cyber resilience. The report is based on data collected by Blackberry and threat intelligence provided by third parties, gathered over 90 days between September and November 2022.

Throughout the reporting period, downloaders were among the most commonly observed threats. Downloaders are malicious software that often masquerade as legitimate digital documents and executables and are used to download a range of other malicious software. Once installed, these downloaders often remain undetected for long periods and form large botnets of infected devices. The operators of these botnets partner with other threat groups to deliver third-party payloads. One of the most commonly used downloaders is Emotet, which first emerged in 2014 as a banking Trojan. An international law enforcement operation successfully shut down the Emotet botnet in April 2021 but it was eventually rebuilt and started to be used again at the end of 2021. After a 4-month hiatus in 2022, activity resumed, with the botnet grown via phishing emails with malicious Office attachments. Emotet commonly drops the IcedID banking Trojan, which in turn often delivers ransomware payloads.

Qakbot is another common downloader that is similarly distributed in phishing emails. The emails typically have a LNK hyperlink that directs the user to a malicious domain where a ZIP file is downloaded. The ZIP files contain an executable file that delivers QakBot. QakBot is able to hijack existing message threads for propagation, targeting individuals in the victims’ contact list, making it appear that the emails have been sent in response to a previous conversation. The QakBot operators provide initial access to networks for several ransomware operations. The Blackberry researchers also detected an increase in GuLoader, which is often used to deliver information stealers such as Redline and Racoon, with the malicious payloads often hosted on cloud services such as Google Cloud and OneDrive, as well as malicious Telegram bots. Throughout 2022, LockBit was the most commonly used ransomware variant and remained so throughout the 90-day analysis period. RedLine and Racoon were the most commonly observed information stealers, and njRAT and FlawedAmmyy were the most commonly identified remote access Trojans.

For its latest report, Blackberry analyzed attacks on the healthcare sector, which the researchers say is particularly vulnerable to attacks due to the widespread use of medical technology with a long service life, the complex and often interconnected nature of healthcare systems, and the vast amounts of sensitive data that are routinely collected and stored. Ransomware still poses the biggest threat to the healthcare sector, and all of the threat groups that rely on ransomware are actively targeting the healthcare industry. While some ransomware-as-a-service operations claim to have operating rules prohibiting attacks on the healthcare sector, those promises cannot be guaranteed and there have been many cases where healthcare organizations have been attacked despite these rules being in place.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Qakbot was the most commonly observed Trojan in attacks on the healthcare sector, most commonly to provide access to healthcare networks for ransomware affiliates and initial access brokers. Emotet was not very active over the analysis period, although attacks are expected to increase. Meterpreter, a payload delivered via Metasploit, and BloodHound were active during the analysis period and had been used in attacks on the healthcare sector. One attack used Meterpreter along with SharpHound, a collector for BloodHound often used for lateral movement. The researchers echoed the advice of CISA and recommend network and system administrators intentionally execute BloodHound to understand possible attack paths.

Several attacks on the sector involved TinyNuke, which was used to deliver the Netwire RAT, and some attacks involved the PlugX RAT, which is commonly used by nation-state actors such as Mustang Panda, which suggests nation-state actors and cybercriminals are actively targeting the sector. Information stealers such as RedLine and Racoon have been extensively used in attacks in 2022; however, these malware variants do not appear to have been used specifically to attack the sector.

The financially motivated threat group, TA505, remains highly active and has targeted the healthcare sector. The group is known to use Clop ransomware, the FlawedAmmyy RAT, and banking Trojans. ALPHV is a relatively new cybercriminal group that has been conducting attacks on the healthcare sector. The group often deploys BlackCat ransomware and is known for using innovative extortion tactics and unconventional attack methods. ALPHV claimed responsibility for the recent attack on NextGen Healthcare. The Vietnam-based threat actor, APT32, the Chinese APT group, Mustang Panda, the Russian threat actor, APT29, and the cybercriminal group, TA542, have also been highly active and have a history of attacking healthcare organizations.

The researchers believe the healthcare industry will continue to be targeted throughout 2023 and ransomware will remain one of the biggest threats. They also predict more targeted attacks on cloud infrastructure as threat actors seek to gain additional visibility into the organizations that they seek to undermine or extract profit.

“The growth of targeted attacks in the automotive, healthcare, and financial industries cast a harsh light on the critical need to protect these sectors’ expansive and vulnerable threat surfaces,” said the researchers. “Defending your organization against malware and cyberattacks requires in-depth knowledge of how threat actors are targeting your industry, the tools that they use, and their possible motivations. This detailed knowledge provides contextual, anticipative, and actionable cyberthreat intelligence that can reduce the impact of threats on your organization.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist