Several agencies came out with a joint advisory on October 28 with stern warnings to the healthcare sector related to cybercrime. The advisory concerns an "imminent and increased cybercrime threat to U.S. hospitals and healthcare providers." The warning was crafted by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the U.S. Department of Health & Human Services (HHS). The agencies urged all institutions that fit the profile to take all necessary steps to elevate the security of their networks to meet the expected wave of cyberattacks.
According to CISA and the other agencies, the cybercriminals are using Trickbot and Ryuk ransomware. Trickbot is utilized to infiltrate the networks. Once the wrongdoers gain access to a network they have a number of options to harm the target. Most commonly, the attackers will try to steal sensitive data and then deploy Ryuk as the final payload. Ryuk ransomware can encrypt the data on a compromised network and the cybercriminals can then demand ransom payments to give the decryption keys. Ransomware attacks combined with data exfiltration have been fairly common the past six months and the scheme has proven to be very effective. Unfortunately, such attacks can cripple a hospital or another type of health institution and that may have dire consequences.
The advisory urges potential targets to ensure they have continuity plans in place. Additionally, the agencies encourage hospitals and healthcare providers to follow all network best practices such as:
- Keeping OS and software up to date.
- Regularly changing passwords.
- Using multi-factor authentication as much as possible.
- Thorough management of remote access.
- Identifying and creating offline backups for all critical assets regularly.
- Keeping sensitive data and email environments as separate segments on different networks.
- Keeping antivirus and anti-malware solutions up to date and conducting regular scans.
With cybercrime and ransomware attacks especially on the rise, the importance of proper cybersecurity has become paramount. While some ransomware operators have made it a rule not to target hospitals and healthcare institutions there are still others who do the exact opposite. The official stance of CISA and other federal agencies is that paying ransoms is not recommended. The two main reasons are that firstly, there is no guarantee that data recovery will be successful and secondly, paying the ransom can encourage the attackers to continue with their efforts.