Stopping cybercriminals profiting from endpoint vulnerabilities in healthcare sector

Stopping cybercriminals profiting from endpoint vulnerabilities in healthcare sector

With the healthcare sector in Australia suffering unprecedented attacks on endpoints, Greg Foss, Senior Cybersecurity Strategist at VMware Carbon Black, tells us how IT leaders can ensure effective endpoint protection with the result that security teams can benefit from the full visibility and control required to prevent, detect and respond to endpoint threats.

On the frontline of the pandemic, perhaps no industry was impacted and forced to innovate and transform as quickly as healthcare in 2020. Whether it was the rapid development of COVID-19 testing technology or the explosion of telehealth, healthcare organizations accelerated Digital Transformation in record time. But with these innovations came new and unprecedented security vulnerabilities that cybercriminals quickly looked to exploit and profit from.


In Australia, cyberattacks on the healthcare sector are also set to increase with the warnings from the Australian Cybersecurity Center (ACSC) to Australian healthcare providers that it had observed an increase in cyber-incidents targeting the sector. In addition, the Office of the Australian Information Commissioner (OAIC) also reported the healthcare sector as the top industry sector accounting for 22% of the breaches in its July to December 2020 Notifiable Data Breaches Report.


According to VMware Carbon Black, in the latter half of the year, we saw the attempted attacks per endpoint peak with an 87% increase from September to October. The timing of this significant spike corresponds with the October alert from the Cybersecurity and Infrastructure Security Agency (CISA), which warned of increased cyberattacks by a Ryuk ransomware gang specifically targeting healthcare organizations.
We are now also seeing ‘secondary infections’ which are leveraged to facilitate long-term cyberattack campaigns, happening across the digital healthcare supply chain and have led to a surge of extortions and helped fuel a cybercrime market. Our research found protected health information (PHI) being bought and sold on Dark Web markets as cybercriminals look for the easiest way to cash in on data.


According to Greg Foss, Senior Cybersecurity Strategist at VMware Carbon Black, in 2020 we saw ransomware go mainstream. The wide-reaching impact of ransomware has been assisted largely by way of affiliate programs. With many ransomware groups offering Ransomware-As-a-Service (RaaS), making the deployment of ransomware easily accessible to millions of cybercriminals who previously didn’t have the tools to carry out these attacks. Compounding these risks is the adage of affiliate programs for ransomware groups, providing new and unique ways for malware operators to have others deploy their payloads for a cut of the eventual profits.


Throughout 2020, we have seen expansions in the use of ransomware with some threat actors repurposing ransomware for use as pure wipers, wherein the decryption keys will be able to recover the lost data, and more recently in Denial-of-Service (DoS) attacks, impacting core services that citizens rely on every day. There is no sign of these groups slowing down. In fact, we are witnessing the exact opposite, with groups beginning to collaborate at an unprecedented scale, share stolen resources and even combine forces.


“COVID-19 test results are a hot commodity on the Dark Web right now, mostly in the form of large data dumps,” said Foss. “An interesting component around today’s ransomware attacks is that underqualified, lesser-known cybercriminal groups are behind them thanks to the rise in RaaS. All it takes is a quick search on the Dark Web for someone to license out a ransomware payload to infect targets. Today, it’s unfortunately just as easy to sign up for a grocery delivery service as it is to subscribe to ransomware.”


Top five ransomware families of 2020
The top five ransomware families used to target VMware Carbon Black healthcare customers in 2020 were identified as:
Cerber (58%)
Cerber ransomware is a type of malware (malicious software) that encrypts your files and then holds them hostage, demanding a ransom payment in exchange for returning them to you.
Sodinokibi (16%)
Sobinokibi ransomware is highly evasive and takes many measures to prevent its detection by antivirus and other means.
VBCrypt (14%)
VBCrypt is a malicious program that is unable to spread of its own accord. It may perform a number of actions of an attacker’s choice on an affected computer. This virus targets Windows programs.
Cryxos (8%)
Cryxos Trojans display deceptive alerts/notifications on compromised or malicious websites. The notifications claim that the user’s computer is infected with a virus (or viruses), is blocked and some personal details have been stolen.
VBKrypt (4%)
The VBKrypt malware family is written in the Visual Basic programming language, which is its main distinguishing trait from other malware families. Based on the specific variant, the trojan may drop files, write to the registry and perform other unauthorized actions on the affected computer system.


Foss said: “As RaaS explodes in popularity on the crimeware forums, cybercriminals are finding new and unique ways to deploy ransomware across organizations. Similar to how spies are recruited for espionage against government agencies, regular everyday people with access to high-value targets can be recruited to deploy malware.


“Often, they are lured through offers of significant sums of money or even a percentage of the ransomware payout, with some offering hundreds of thousands of dollars per victimised organization. Affiliate programs and partnerships between ransomware groups have also become a common occurrence alongside the general recruiting of insiders.

“These affiliate programs look to partner with initial access brokers – criminals that specialize in breaking into organizations and subsequently sell direct access and other ransomware gangs in order to improve their tradecraft, furthering their reach and overall profitability.”


The rise in secondary extortion
Ransomware groups have widely adopted double extortion as a core tactic to ensure profitability. By taking time to quietly exfiltrate sensitive information from the organization, cybercriminals gain incrementally significant leverage on their victim organizations, forcing organizations to not only pay to decrypt their content but also prevent potentially harmful data from being sold or otherwise publicly disclosed. Thus, significantly increasing the impact and damage that ransomware groups can inflict upon their victims and sending a stark warning to others to protect their networks from this ever-evolving threat.


How to fight back: Three security recommendations for healthcare IT leaders
For healthcare organizations, understanding the evolving threat landscape is half the battle. Now that CISOs have a grasp of what they’re up against, there are key defenses that should be in place. Here are three best practices to help them stay one step ahead of attackers:

  1. Next-generation Antivirus (AV): CISOs can start by ensuring their endpoint protection solution incorporates defenses for each phase of ransomware attacks: the delivery, propagation and encryption stages. Today, traditional AV focuses mostly on the delivery stage, but this leaves a security gap with new malware. To detect and stop these attacks from propagating, solutions should also track endpoint activity to root out common behaviors such as privilege escalation and lateral movement, and finally prevent encryption by employing decoys and protecting local files and critical boot sequences. VMware Carbon Black Cloud Endpoint Standard offers protection through each of the common ransomware stages and breakthrough prevention for today’s advanced cyberattacks.
  2. Endpoint Protection: IT leaders need an endpoint protection solution that easily scales and deploys to new users. The inability to rapidly provision new remote endpoints is another vulnerability and break in security postures. Healthcare organizations need the ability to easily provision access to new users while maintaining data privacy, compliance and security practices. Siloed and on-premise security products increase complexity and delay progress in standing up and securing remote workers. VMware Carbon Black Cloud Endpoint helps organizations transform security with cloud-native endpoint protection that eliminates many of the time and resource-consuming barriers that often slow down deployments. The solution also offers security teams the full visibility and control required to help prevent, detect and respond to endpoint threats.
  3. IT Tracking Tools: For CISOs to understand any area of vulnerability it’s important to employ a solution that enables organizations to assess and harden system state. It’s much easier to patch and prevent attacks than it is to remediate them. When it comes to helping prevent ransomware attacks, solutions that offer automated reporting to track configuration drift will help ensure environments stay as secure as possible. The VMware Carbon Black Cloud Audit and Remediation solution allows security teams to easily track drift and comes ready with built-in response tools to apply updates or run scripts for full remediation in minutes.

Browse our latest issue

Intelligent CIO APAC

View Magazine Archive