The healthcare saw its first surge of ransomware attacks in 2016 with health systems like MedStar Health and a host of others falling victim. Since that time, a wide range of providers have fallen victim to both targeted attacks and incidents initially directed at other entities, like NotPetya and WannaCry.
Most recently, hundreds of dental provider offices were infected and shut out of their systems, after an attack on their vendor Digital Dental Records and PerCSoft. Just a few weeks before, hackers demanded a $1 million ransom from Grays Harbor Community Hospital and Harbor Medical Group in Washington.
The McAfee report confirms ransomware is not going anywhere: Across all sectors, ransomware incidents increased by 118 percent during the first quarter of 2019.
“After a periodic decrease in new families and developments at the end of 2018, the first quarter of 2019 was game on again for ransomware, with code innovations and a new, much more targeted approach,” said Christiaan Beek, McAfee lead scientist and senior principal engineer, in a statement.
“Paying ransoms supports cybercriminal businesses and perpetuates attacks. There are other options available to victims of ransomware,” he added. “Decryption tools and campaign information are available through tools such as the No More Ransom project.”
Three ransomware variants have dominated the threat landscape, demanding high ransoms and causing long periods of down time. Coveware researchers recently published similar findings, with ransomware causing 10 days of downtime on average.
Overall, malware led disclosed attack vectors, followed closely by hijacking and targeted attacks. The report also found new malware samples have increased by 35 percent. These attacks increased 18 percent in the healthcare sector, or third overall.
What’s more, 77 percent of targeted attacks relied on user interaction for campaign execution.
Spear-phishing tactics are still a common attack method, but researchers discovered an increasing number of successful attacks leveraged open and exposed endpoints like virtual network computing and the remote desktop protocol.
Microsoft, the National Security Agency, and security leaders have warned these ports on some legacy platforms are vulnerable to the BlueKeep exploit, a vulnerability similar to the flaw used in 2017’s global WannaCry attack.
“RDP credentials can be brute-forced, obtained from password leaks, or simply bought in underground markets,” researchers wrote. “Where past ransomware criminals would set up a command and control environment for the ransomware and decryption keys, most criminals now approach victims with ransom notes that include an anonymous email service address, allowing bad actors to remain better hidden.”
Researchers also found more than 2.2 billion accounts were breached and dumped during the first quarter. And larger organizations are being targeted using brute-force, automation, and password-spraying attacks.
Lastly, there’s been an increase in server message block attacks, for which healthcare providers should take note. Over the course of a 30-day period, McAfee observed more than 4 million unique sources of SMB exploit traffic.
“SMBs pose a risk for less configured systems running legacy applications that are unable to be completely patched,” the researchers wrote. “Significant traffic originating on the SMB protocol has been detected targeting various machines in an attempt to exploit them and gain access.”
“The impact of these threats is very real,” Raj Samani, McAfee fellow and chief scientist, said in a statement. “It’s important to recognize that the numbers, highlighting increases or decreases of certain types of attacks, only tell a fraction of the story. Every infection is another business dealing with outages, or a consumer facing major fraud. We must not forget for every cyberattack, there is a human cost.”