In his first column in 2021, our cyber security columnist, Davey Winder explores the evolution of ransomware and why cyber criminals are looking towards tailored attacks.

Healthcare is under attack and the instigators are gangs of ransomware-wielding criminals. Rapidly evolving attack methodologies and the ongoing pandemic are creating something of a perfect storm, a veritable crime-tsunami targeting the most at risk people at the worst possible time.

Ransomware remains the biggest global cyber threat to healthcare, according to research from security vendor Check Point. From November onwards, the researchers say, the number of attacks targeting healthcare have grown by 45%.

To put that into some perspective, Check Point says this equates to more than double the increase in cyber-attacks across all global industry sectors in the same period. The motivation is easy to understand: these criminal operators are looking for the biggest profit in the shortest timescale, and healthcare providers under the pandemic makes for the perfect target.

Tailored attacks

The fact that healthcare providers are being targeted during the Covid-19 pandemic is not news. Threat intelligence experts have been warning for the longest time that the gangs behind the ransomware are upping their game, adopting tactics more commonly associated with nation-state ‘advanced persistent threat’ operatives.

Rather than the ‘spray, pray and hope they pay’ distribution of ransomware from just a couple of years ago (the NHS was not the target of WannaCry back in 2017), the gangs are focusing on healthcare and shaping their attacks accordingly.

These are individually tailored attacks against not just a sector, but specific targets within specific targets: recon is performed to ensure that the most operations-critical parts of the target network are hit.

They are not quick and opportunistic attacks, but strategically planned ones that take time to infiltrate networks, steal credentials and move laterally. These are, and I hate to use the word, intelligent operations that employ data exfiltration before locking down a network, and that have other tricks to ‘encourage’ payment up their ever-evolving threat sleeves.

Evolution of ransomware

This evolution of ransomware is a combination of the technical and tactical. Nowhere is this better evidenced than moves towards using distributed denial of service (DDoS) attacks in order to get ransom negotiations started if things aren’t moving fast enough.

Such DDoS attacks are a cheap and highly effective way to disrupt business operations. Not that ransomware gangs are short of cash, sadly, but maximising profit is the goal and so such attacks can be outsourced and carried out on a continuous basis until the victim caves.

This isn’t DDoS extortion, a wider and unrelated threat, but rather a tool employed purely to ‘encourage’ contact with the attackers. Other tactics are, in many ways, even more aggressive.

Tactics such as ‘cold-calling’ organisations to demand quick payment, making the ransomware attack even more close up and personal, complete with warnings about what will happen next if a quick resolution isn’t made. A newly published Digital Shadows report reveals that some of these calls include threats to employee safety.

Not the time for complacency

While I have not seen any evidence of an uptick of attacks against NHS providers, and successful ransomware attacks on the private healthcare sector remain relatively rare, all of the above screams that this is not the time for complacency. Given that the pandemic has forced an acceleration of cross-sector remote healthcare provision in the UK, from telephone GP appointments to video-based clinical consultations, you can bet that ransomware operators are already exploring the potential to disrupt these services for their illicit gain.

Back in October 2020 after the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) published a warning in conjunction with the FBI of the ongoing threat from Ryuk ransomware to US hospitals, the UK’s National Cyber Security Centre (NCSC) was quick to respond.

“The NCSC is committed to protecting our most critical assets and the health sector is a top priority,” it said in an online statement.

“Ransomware is a significant cyber risk and we continue to work closely with government and the NHS to ensure that we are taking all available measures to counter the threat.”

I used to regularly warn about the risk to patient health through vulnerabilities in legacy operating systems and internet of medical things devices.

Those risks have not gone away, but in terms of current clear and present threats, ransomware is now the one to watch for both the public and private healthcare sector in the UK, in my never humble opinion.

I will continue to repeat my mantra of education being vital in the fight against ransomware. Most attacks, and certainly the most targeted of attacks, will start with social engineering. If everyone in the organisation is aware of the risk and what it looks like in the real-world, which is less likely to be predominantly malware-driven attacks and veer more toward malicious link based phishing, then the attackers are less likely to succeed.