In 2020, the healthcare industry was heavily targeted by ransomware gangs who took advantage of the pandemic to hit the very hospitals that were trying to save patients’ lives. Battling under extremely challenging conditions, the healthcare industry had to cope with these highly damaging and disruptive ransomware attacks that placed patient safety at risk.
A major ransomware attack hit one of the largest healthcare providers in the United States. Universal Health Services, an American Fortune 500 company which employees 90,000 individuals and runs 400 acute care hospitals, suffered a major ransomware attack in September which impacted all of its hospitals. Staff were forced to work on pen and paper for three weeks while it recovered from the attack.
A cyberattack on University of Vermont Medical Center in October affected more than 5,000 hospital computers and laptops and 1,300 servers. All devices had to be wiped and have software and data reinstalled, with the healthcare provider experiencing downtime for more than 2 months. During the recovery process around $1.5 million was being lost per day to attack-related expenses and lost business, with the total costs expected to exceed $64 million.
Ransomware attacks on the healthcare industry were stepped up in September and October and continued to plague the industry for the remainder of the year. A study by Tenable found that ransomware attacks accounted for 46% of all healthcare data breaches in 2020, showing the extent to which the industry was targeted.
Many of these attacks involved the exploitation of unpatched vulnerabilities, most commonly vulnerabilities in the Citrix ADC controller and Pulse Connect Secure VPN. Patches had been released at the start of the year to fix the vulneabilities, but the patches had not been applied promptly. Phishing emails also gave ransomware gangs the access to healthcare networks they needed to conduct ransomware attacks. Check Point’s research indicates there was a 45% increase in cyberattacks on the industry from the start of November to the end of the year.
Another industry heavily targeted by hackers in 2020 was retail. Retailers were also incredibly busy as a result of the pandemic. With governments ordering people to stay home to curb the spread of the virus, online retailers saw a sales surge as shoppers made their purchases online rather than in bricks and mortar stores. Researchers at Salesforce found digital sales increased by 36% in 2020 compared to the previous year, and cybercriminals took advantage of the increase in online sales.
Several methods were used to gain access to retailers’ systems and websites, with the most popular tactic being web application attacks, which increased by 800% in 2020 according to the CDNetworks State of Web Security H1 2020 Report. Attackers also used credentials stolen in past data breaches to attack online retail outlets in credential stuffing attacks, which Akamai’s tracking revealing the retail industry was the most attacked industry using this attack technique, account for around 90% of attacks.
As is normal every year, the large numbers of shoppers that head online to make purchases in the run up to Black Friday and Cyber Monday were exploited, with phishing attacks related to these shopping events increasing thirteenfold in the six-week run up to Black Friday. In November, 1 in every 826 emails was an online shopping related phishing scam, compared to 1 in 11,000 in October, according to Check Point. Content management systems used by retailers were also targeted, and attacks on retail APIs also increased in 2020.
As we head into 2021, both sectors are likely to continue to be heavily targeted. Ransomware and phishing attacks on healthcare providers could well increase now that vaccines are being rolled out, and with many consumers still opting to buy online rather than in person, the retail sector looks set to have another bad year.
Fortunately, by following cybersecurity best practices it is possible to block the majority of these attacks. Patches need to be applied promptly, especially any vulnerabilities in remote access software, VPNs, or popular networking equipment, as those vulnerabilities are rapidly exploited.
An advanced anti-phishing solution needs to be implemented to block phishing attacks at source and ensure that malicious messages do not get delivered to inboxes. Multi-factor authentication should also be implemented on email accounts and remote access solutions to block credential stuffing attacks.
A web filter is important for blocking the web-based component of phishing and cyberattacks. Web filters stop employees from visiting malicious websites and block malware/ ransomware downloads and C2 callbacks. And for retail especially, the use of web application firewalls, secure transaction processing, and the correct use of Transport Layer Security across a website (HTTPS) are important.
By following cybersecurity best practices, healthcare providers, retailers, and other targeted industries will make it much harder for hackers to succeed. TitanHQ can help by providing SpamTitan Email Security and WebTitan Web Security to protect against email and web-based attacks in 2021. For more information on these two solutions and how you can use them to protect your busines, call TitanHQ today.
Cybercriminals use many tactics to obtain credentials that they then use to remotely access corporate accounts, cloud services, and gain access to business networks. Phishing is the most common method, which is most commonly conducted via email. Attackers craft emails using a variety of lures to trick the recipient into visiting a malicious website where they are required to enter their credentials that are captured and used by the attackers to remotely access the accounts.
Businesses are now realizing the benefits of implementing an advanced spam filtering solution to block these phishing emails at source and ensure they do not reach inboxes. Advanced antispam and anti-phishing solutions will block virtually all phishing attempts, so if you have yet to implement such a solution or you are relying on Microsoft Office 365 protections, we urge you to get in touch and give SpamTitan a trial.
Phishing is not only performed via email. Rather than using email to deliver the hook, many threat groups use SMS or instant messaging platforms and increasing numbers of phishing campaigns are now being conducted by telephone and these types of phishing attack are harder to block.
Smishing for Credentials
When phishing occurs through SMS messages it is known as Smishing. Rather than an email, an SMS message is sent with a link that users are instructed to click. Instant messaging platforms such as WhatsApp are also used. Many different lures are used, but it is common for security alerts to be sent that warn the recipient about a fraudulent transaction or other security threat that requires them to login to their account.
Recently, Allied Irish Bank (AIB) customers in Ireland were targeted with such as smishing campaign. The SMS message advises the recipient that there has been a suspected fraudulent transaction which they are required to review by clicking a link and logging in. Their credentials are harvested, and they are instructed to provide codes from their card reader or one-time passwords as part of the security check. Doing so will allow the scammers to access the account and make fraudulent transactions. A variation on this theme involves the user being told they have been locked out of their account.
In this campaign the scammers use a URL on the domain secureonlineservicepayeeroi.com, although these domains frequently change. Many campaigns mask the destination URL using URL shortening services, and one recent campaign conducted by an Iranian threat group used a seemingly legitimate google.com URL and several redirects before the user landed on the phishing page. Smishing is also often used in PayPal phishing attacks using messages warning about the closure of an account.
Vishing Attacks on Businesses Spike
In December 2019, the U.S. Federal Bureau of Investigation (FBI) identified a campaign where cybercriminals were conducting phishing over the telephone – termed vishing. Since then, the number of cases of vishing attacks has increased, prompting the FBI and the Cybersecurity and Infrastructure Security Agency to issue a joint alert in the summer about a campaign targeting remote workers. This month, the FBI has issued a further alert following a spike in vishing attacks on businesses.
Cybercriminals often target users with high levels of privileges, but not always. There has been a growing trend for cybercriminals to target all credentials, so all users are at risk. Once one set of credentials is obtained, attempts are made to elevate privileges and reconnaissance is performed to identify targets in the company with the level of permissions they need – I.e. permissions to perform email changes.
The scammers make VoIP calls to employees and convince them to visit a webpage where they need to login. In one attack, an employee of the company was found in the company’s chatroom, and was contacted and convinced to login to their company’s VPN on a fake VPN page. Credentials were obtained and used to perform reconnaissance. Another target was identified that likely had advanced permissions, and that individual was contacted and scammed into revealing their credentials.
How to Block Smishing and Vishing Attacks
Blocking these types of phishing attacks requires a combination of measures. In contrast to email phishing, these threats cannot be easily blocked at source. It is therefore important to cover these threats in security awareness training sessions as well as warning about the risks of email phishing.
A web filtering solution is recommended to block attempts to visit the malicious domains where the phishing pages are hosted. Web filters such as WebTitan can be used to control the websites that employees can access on their corporate-issued phones and mobile devices and will provide protection no matter where an employee accesses the Internet.
It is also important to set up multifactor authentication to prevent any stolen credentials from being used by attackers to remotely access accounts. The FBI also recommends granting network access using the rule of least privilege: ensuring users are only given access to the resources they need to complete their jobs. The FBI also recommends regularly scanning and auditing user access rights given and monitoring for any changes in permissions.
COVID-19 has made 2020 a terrible year for many businesses, bringing unprecedented challenges that many have struggled to overcome. The year was made worse by cybercriminals stepping up their attacks, with ransomware used to pile even more misery during extremely challenging times.
Ransomware is nothing new of course. It has been used since the early 2000s to extort money from individuals and businesses. Ransomware grew in popularity in the mid-2010s when encryption methods were adopted that were tough to crack, and the past couple of years have seen ransomware grow into the biggest cyber threat for businesses, and 2020 has been especially bad.
In Q3, 2020, ransomware attacks increased by 40% according to data from Kroll. Almost 200 million attacks occurred in the quarter, and attacks continued to increase as the year progressed. Not only are more businesses now being attacked, the amount demanded by the attackers has also dramatically increased. A report from Coveware, a firm that assists companies recovering from ransomware attacks, indicates ransom demands doubled in Q4, 2019 and there has been another doubling of demands in 2020. A recent H1 2020 Cyber Insurance Claims Report from Coalition indicates 87% of all cyber-related insurance claims are the result of ransomware attacks.
Ransomware gangs have also adopted a new tactic to increase the likelihood of their ransom demand being paid. In 2019, the Maze ransomware gang started stealing data prior to encrypting files and using double extortion tactics. In addition to paying to recover data, victims had to pay to prevent the public release of their stolen data. Since then, at least 17 ransomware gangs have adopted this tactic and threaten to publish or sell stolen data if the ransom is not paid.
The healthcare industry was hit particularly hard by ransomware in 2020, especially in the latter half of the year. Healthcare systems and hospitals have been battling with the pandemic and during these extremely challenging times they have been targeted by ransomware gangs. There was a major spike in attacks on hospitals in September and the attacks have continued at high levels since.
The pandemic has given ransomware gangs new opportunities to conduct attacks, as more remote workers introduced vulnerabilities that are easy for the gangs to exploit. Vulnerabilities in new VPN and remote access solutions are exploited, emails spreading ransomware have targeted remote workers, and ransomware has been delivered via drive-by downloads masquerading as free online collaboration tools. COVID-19 has also been exploited in lures that deliver ransomware, first offering advice on the new virus, then possible cures, and latterly vaccine related lures.
The large increase in attacks toward the end of 2020 does not bode well for 2021, and there are no signs that ransomware activity will fall in 2021. In fact, the situation may even get worse before it gets better. As long as ransomware attacks continue to be profitable, the attacks will continue. What businesses need to do is make sure they take steps to block attacks, identify them quickly when they do occur, and make sure they have a plan in place to help them recover quickly should disaster strike.
Some of the important steps to take to prevent, detect, and limit the severity of an attack are summarized below:
With so many methods of deploying ransomware, there is no single solution that will prevent all attacks. You should therefore consider the following:
- Implement an advanced spam filter with best of breed protection against malware and ransomware, that uses signature-based detection to block known ransomware variants and sandboxing to identify new threats.
- Ensure patches are applied promptly and software is updated quickly to the latest version.
- Train your staff how to recognize email-based threats and provide general security training to eliminate risky behaviors.
- Stay up to date on the latest threat intelligence and take proactive steps to address threats.
- Use a web filtering solution to block access to risky and malicious websites to prevent downloads of ransomware from the Internet.
- Enforce the use of strong passwords to prevent brute force attacks.
- Implement multi-factor authentication wherever possible.
If you can detect unauthorized accessing of your systems in real time, you may be able to block an attack before ransomware is deployed. Many threat actors spend time moving laterally to identify as many devices as possible before conducting an attack and they will attempt to find and exfiltrate data, which provides a window to detect and block the attack. You should implement a monitoring system in place that generates alerts when suspicious activity is detected and, ideally, one that can automatically remediate attacks when they are detected. Many attacks occur at the weekend and public holidays when monitoring by IT teams is likely to be reduced so consider the mechanisms you have in place when staffing levels are lower.
You may not be able to block an attack, but you can prepare and limit the damage caused. First and foremost, backup your data as you do not want to be at the mercy of the attackers. Ensure a backup is stored in a location that cannot be accessed from the network where the data resides, store a copy of a backup on a non-networked device, and ensure backups are performed regularly and are checked to make sure data can be recovered.
You should also create a disaster recovery plan that can kick into action as soon as an attack occurs to make sure your business can continue to function until the attack is fully mitigated.