Healthcare organizations sitting on 'unexploded' ransomware

In the age of COVID-19, it appears there's no honor among ransomware gangs.

As the COVID-19 pandemic worsened in March, several notorious ransomware gangs publicly announced they would not target any medical facilities or hospitals until the situation stabilized. And to some extent, they just might be. Recent threat research from several vendors has shown a decline in attacks against healthcare organizations. VMware Carbon Black, for example, recently reported that even as overall ransomware attacks across the globe surged 148% in March, attacks of healthcare organizations declined.

Antimalware vendor Emsisoft reported a steep drop in confirmed ransomware attacks on U.S. healthcare targets for the first quarter, which saw just 25 attacks compared to an average of 191 per quarter in 2019. Emsisoft also observed just two successful attacks on U.S. healthcare organizations between April 1-20.  

"I would say that the number of attacks -- at least, successful attacks -- on healthcare providers are down globally. However, that's not based on hard data, as we only track U.S. incidents. In general, the number of successful attacks on the U.S. public sector, including state and municipal governments and education, is down across the board," Brett Callow, threat analyst at Emsisoft, told SearchSecurity.

While the number of successful ransomware attacks on healthcare may have declined significantly in recent months, public and private organizations have also warned that ransomware gangs continue target healthcare organizations. On April 1, Microsoft announced it had sent warnings to "dozens" of hospitals with vulnerable gateway and VPN software to warn them of potentially impending ransomware attacks. On April 4, INTERPOL issued a warning that cybercriminals were targeting "critical healthcare institutions" across the globe with ransomware.

And just last week, a report from Microsoft's Threat Protection Intelligence Team said ransomware groups continued to target healthcare and critical services in April. "Multiple ransomware groups that have been accumulating access and maintaining persistence on target networks for several months activated dozens of ransomware deployments in the first two weeks of April 2020," the report read.

Affected parties include aid organizations, educational software providers, government institutions, manufacturing, medical billing companies, transport and, in addition, plenty of non-critical businesses and organizations.

Threat actors gained access to the networks well before that two-week period, suggesting there was a period of dwell time before those deployments.

"The ransomware deployments in this two-week period appear to cause a slight uptick in the volume of ransomware attacks. However, Microsoft security intelligence as well as forensic data from relevant incident response engagements by Microsoft Detection and Response Team (DART) showed that many of the compromises that enabled these attacks occurred earlier."

While Microsoft didn't offer any additional commentary on whether the attacks observed in the first two weeks of April were successful or not, SearchSecurity asked the company whether data exfiltration is the reason for the delayed ransomware deployments. Several ransomware gangs such as Maze have begun to steal victims' data before encrypting it, and then threatening to publish any sensitive data on the internet to force victims to pay the ransoms.

"Data exfiltration is a very common practice for ransomware groups, but the primary reason for delayed ransomware deployment is attackers commonly wait for moments when they know are most inconvenient for targets and thus more likely they will pay ransoms," the spokesperson told SearchSecurity.

While ransomware attacks were down in recent months, threat actors continue to compromise healthcare networks and may simply waiting for the right chance to strike. "I would say it's highly likely that there are healthcare providers with 'unexploded ordnance.' Whether the attackers will wait until the pandemic eases prior to striking is impossible to say, and may depend on which group was responsible," Callow said. "Some groups have stated they will avoid attacks on the health sector during the COVID-19 outbreak, while others have made no such claim and continue to attack the sector."

Callow called this threat actor tactic of delaying ransomware deployment "far from a new development."

"Pre-COVID-19, groups would wait days, weeks or even months after the initial compromise before deployment. The reason for that is not clear. It could be because they wait for what they believe is likely to be the most financially beneficial time or it could simply because they queue cases according to potential ROI."

In last week's post, Microsoft said many of the compromises began with exploitation of vulnerable network devices such as VPNs or brute force attacks on Remote Desktop Protocol (RDP) servers. The Threat Protection Intelligence Team urged organizations to look for signs of compromise before a ransomware payload is delivered, such as suspicious activity around account credentials or unusual Windows registry modifications.

In addition, Microsoft recommended several steps to help healthcare organizations reduce their attack surface for ransomware threats, including implementing multifactor authentication for RDP and virtual desktop accounts, randomizing administrator passwords and patching any network devices or services exposed to the public internet.