Ransomware Groups Continue to Target Healthcare Organisations and Hospitals.

Ransomware is one of the most insidious and potentially damaging online attacks that can be carried out against an organisation. Data held on devices or servers is encrypted by a malicious group and this potentially devastating hack is based on the premise that the only way to recover your data is to pay a ransom to the attackers. The criminals promise to send the target the decryption key in return for a specified fee, although this does not always happen. If the recipients of the ransomware have backed up their data, they will be able to reset their systems and the problem is greatly minimised. If the ransomware group has exfiltrated private data, they may try another form of extortion by threatening to expose sensitive data online. This is a new development in the field of ransomware and health services are a clear target of these double extortion tactics.

Ransomware has been rising at a phenomenal rate. Although many are vulnerable to this attack, healthcare bodies and hospitals are a priority target for many organised attackers. The fundamental importance of having a reliable system available can be a matter of life and death. Hospitals hold a great deal of data on patients that is fundamental to their day-to-day operations. Trying to function without access to this data is extremely difficult and ransomware groups know they can leverage huge pressure to get the ransom paid to decrypt the encrypted data again.

High-profile cases surged this year and in 2020. A number of Finnish psychotherapy clinics that had been attacked by a ransomware group initially refused to pay the ransom. the criminal group demanded more money to not release the private data online. They released some of the data and demanded an even higher amount to not leak more data online. The company in charge of these clinics, Vastaamo, denies paying the fee, although the full records were never released online.

Ryuk Ransomware was used to hit Universal health Services last September. The company operates hundreds of hospitals in multiple countries. The attack began to hit on a Sunday morning, at a time of the week when most organisations are more vulnerable. The company had to get staff to work with paper and pencil. This particular attack was estimated to have cost UHS over fifty million euros.

Recent attacks in the Irish health service follow a similar pattern. Frontline services were reduced dramatically, and demands were made for money, in this case over 16 million euros. Ransomware does not get a foothold without the inadvertent help of a member of staff. An employee had to click on the link or fall for the phishing email to set the attack in motion. In the case of the attack on the HSE in Ireland, it is now being reported that a single computer was the point of entry, where an employee experiencing technical issues with a terminal, entered into a conversation with somebody claiming to fix the problem if the user just followed their instructions.

The specific strain of ransomware employed in the Irish attack is called Conti. This is a fairly sophisticated form of malware with high-speed encryption capabilities and inbuilt anti-analysis attributes, making it more complex for analysts to figure out how it works. Conti also deletes any shadow copies of files and adds a . Conti extension to all files on the system. The types of encryption utilised by Conti are highly advanced and not vulnerable to being broken currently.

The group behind Conti claims to have taken in the region of 700 GB of unencrypted data from the HSE.

An FBI bulletin released last year describes how multiple health agencies in the United States have been hit by Conti ransomware since 2020.

Attacks on the NHS in Britain last year demonstrated that legacy and sometimes unsupported operating systems such as Windows XP and Windows 7 were being run by healthcare providers. There was also little to no training for staff on basic cybersecurity and the types of tell-tale signs of ransomware or other forms of malware.

Ransomware groups are conscious of the value and sensitivity of data held by hospitals. Healthcare providers will be extremely eager to get access to the encrypted data and will be pushed hard into paying the ransom for the decryption key. If the data can be stolen by the attackers, it can also be used to extort more money by using the threat of revealing the information online.

The attack often begins with a person within the organisation clicking on the wrong link or a harmless-looking attachment and allowing an executable file to run. Ransomware can spread quickly within a network, so one infected pc can mean hundreds of locked terminals in a short time.

The financial consequences are usually severe. Hiring experts to clean up the mess and the reputational damage to private companies is immense. Another complication is the General Data Protection Regulation, which can impose heavy fines on organisations that are victims of data exfiltration attacks, and who fail to notify the Data Protection Commissioner within 72 hours of becoming aware of the problem.

Preventing ransomware attacks is naturally the optimum solution to this major problem. There are a number of not overly complicated steps to achieve this.

Back up all data. Data should be backed up regularly This will not prevent the attack per se, however, it will make the impact of the attack much easier to deal with. In the case of a ransomware attack, you will be able to restart systems and continue with minimal financial or system damage. Systems should be restored within a reasonably short time.

Never click on dubious or unfamiliar links. The last thing you want is an executable file starting the process of downloading ransomware.

If you receive an email that could be fake, don’t click on attachments without first checking the provenance of the email. Check the headers of the email too.

If you are instructed to ‘enable macros’ in order to access a file, don’t do it.

Use up-to-date operating systems and have all systems patched. It came to light that the NHS in Britain was using legacy operating systems that are much more vulnerable to ransomware attacks.

Staff with access to the network need essential training in basic Cybersecurity and at least recognise these elementary errors, such as clicking on fraudulent links or allowing themselves to be duped by phishing scams.

Conti Ransomware represents a formidable and adaptive threat to strategic targets, particularly in the field of healthcare. The fundamental importance of training and awareness cannot be overestimated. Preventing these kinds of malevolent and destructive cyberattacks has to be the most urgent priority for all organisations. especially in cases where highly sensitive data is being processed.