Updates on Ransomware Attack Tactics and Mobile Device Security

20% of Ransomware Attacks Involve Victim Harassment

Ransomware groups are more and more omitting file encryption and are focusing on data theft and extortion tactics, based on a new report from the Unit 42 team of Palo Alto Networks. From July 2021 to 2022, about 1 in 10 ransomware attacks didn’t entail file encryption, just data theft plus extortion.

About a third of incidents that the Unit 42 team responded to are ransomware attacks, 70% of which include data theft, higher by 40% compared to the attacks in the middle of 2021. Information from Coveware suggests that more ransomware attack victims are currently not paying the ransom, and that has pushed ransomware groups to take up more hostile tactics. As per the Unit 42 team, ransomware groups publish the data of 7 victims per day to their data leak websites, and it is becoming more and more typical for ransomware groups to harass victims. Victim harassment is typical for 20% of the incidents responded to by Unit 42, compared to about 1% of attacks in the middle of 2021.

Unit 42’s CTO and VP of threat intelligence, Michael Sikorski, stated that when an attacked hospital refused to pay the ransom, the threat actor gets in touch with patients and threatens them to expose their medical records to pressure the hospital to give in to the ransom demand. In another incident, the wife of a company’s CEO received distressing SMS messages because the ransom was not paid. When patients or clients of companies are called and bothered by a threat actor, it causes reputational damage that can lead to a substantial loss of business. Sikorski stated that more victims of ransomware attacks are retrieving files from backups and don’t pay ransom demands. However, harassment tactics could reverse that trend.

Organizations must create and follow an incident response plan to make sure the fastest way to recover from a ransomware attack. However, Palo Alto Networks encourages preparing a playbook for multi-extortion and to create crisis communication procedures. Having a comprehensive incident response plan with matching crisis communication procedures will significantly minimize uncertainty. It’s essential to know which stakeholders must be involved, and how to make decisions immediately (for example, to pay or not to pay the ransom, or who is permitted to authorize payments). It is crucial to understand what to do and not to do whenever ransomware groups begin contacting and harassing staff or patients. Staff must be given ransomware harassment training regarding the resources and processes they must follow at the time of an active harassment incident. With the adoption of a playbook for multi-extortion, the harm that can result can be limited.

Ransomware Attacks Grew by Over 51% in February

As per the most recent GRIT Ransomware Report from GuidePoint Security, ransomware activity grew in February. The report is dependent on information gathered by the GuidePoint Research and Intelligence Team, which shows the number of attacks is 51.5% higher than in January 2022 and 15.8% higher than in February 2022.

The LockBit 3.0 ransomware group was specifically active in February publishing the data of over two times the number of victims (129) on its leak website compared to January (50), accounting for almost all of the monthly growth in attacks. ALPHV/BlackCat likewise posted more victims (30) on its data leak website compared to January (21). The Royal, BinLian and Medusa ransomware groups are in the third, fourth and fifth places. There was a 21% lower number of Royal ransomware victims than in January, and a 400% higher in BianLian victims. Based on the cybersecurity company Redacted, the BianLian group seems to have altered tactics and is now making more money with its breaches without encrypting files and is focusing on extortion following data theft.

Although the healthcare sector is usually attacked by ransomware groups, February saw a change in the sectors attacked by ransomware groups. There is a notable upsurge in attacks on the banking/financial services, food and beverage, and engineering industrial sectors. The GRIT team data shows that healthcare ranks 7th of the 10 most targeted industries. Although the most active ransomware groups don’t seem to mainly target the healthcare sector, there are a lot of smaller ransomware groups that continuously conduct attacks. GuidePoint Security has cautioned that these smaller groups, which frequently break away from bigger ransomware groups, are more likely to actively attack the healthcare sector than the bigger groups.

The researchers additionally take note that the Royal ransomware group is fairly new having just started operation in September 2022. The group has carried out about 97 attacks since that time and it’s likely their activity will increase. It is believed that Royal includes members from other ransomware groups like Conti and the group is assumed to have significant experience in doing ransomware attacks. Lately, the Health Sector Cybersecurity Coordination Center released a warning regarding Royal ransomware and mentioned the group presents a danger to the healthcare and public health (HPH) sector. Royal was responsible for the latest ransomware attack on the medical device maker Revenetics, though most of the group’s victims to date were in the technology industry.

Like the case in January, most of the targets were in the United States, 62 in January and 117 in February. Though attacks were more geographically distributed in February and happened in 48 nations in comparison to 38 in January.

Enhance Mobile Device Protection Using this HC3 Checklist

The Health Sector Cybersecurity Coordination Center (HC3) has provided a mobile device security checklist to enable healthcare companies to deal with a common cybersecurity weak spot and better safeguard patient information. Healthcare companies use a wide selection of mobile devices, a lot of which are networked and gather, retain, and transfer patient data. These devices frequently play a crucial role in healthcare procedures and thousands are used in big hospitals.

Although these devices carry out important functions, they extend the attack surface substantially and they frequently have vulnerabilities that could possibly be taken advantage of to access patient information and healthcare systems. The risks connected to the devices differ depending on the nature of the medical devices and their usage. Devices may be lost or thieved, they may link to unsecured Wi-Fi networks, and software programs. Applications may have exploitable vulnerabilities, which results in unauthorized system access or the deployment of ransomware or malware.

HC3 has shared a straightforward and user-friendly mobile device security checklist that includes recommendations for securing these gadgets, addressing all fundamental elements of security that must be thought about for all mobile devices employed in healthcare. The checklist recommends placing limitations on connectivity, which include deactivating the different wireless communications protocols supported by mobile devices, including 802.11 Wi-Fi, cellular connections, or broadband if they are not completely necessary.

Device users must be careful before linking to any untrusted or public network. When connections to residential wireless networks is necessary, use a VPN and make sure access points have enough security capabilities. When connecting to corporate enterprise infrastructure, encryption of connections is required. Device applications must be kept to a minimum, and there must be blacklists/whitelists.

Vulnerabilities should be discovered and patched immediately, which means keeping a thorough, accurate, and updated stock of all devices. Software and apps must be updated, preferably using automated updates, except if automatic updates could obstruct device functions. All devices must be set up for complete functionality first then maximum security.

Strong authentication steps must be enforced, which include proper levels of password difficulty, multi-factor authentication, and use of device lock after an interval of inactivity. HIPAA demands protection of PHI in transit, therefore communications must be encrypted, by means of natural encryption functions of the device or by means of encryption software.

To secure against data loss, there must be backup processes. The 3-2-1 data backup rule is encouraged, having at least 3 backups, on two different media, and one copy is kept safely offline. To protect against malware and ransomware, use endpoint security solutions as well as remote wiping capability. All devices must be physically protected all the time, and employees are given security training.

The HC3 mobile device security checklist can be downloaded here.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone