Ransomware continues to plague healthcare organizations. Cybercriminals realize there is enormous potential for financial gain if they can successfully disrupt services and hold sensitive data hostage—and they keep succeeding. Under pressure to resume services quickly, many healthcare organizations do wind up paying the ransom.
Surveying the various types of ransomware can help you build a plan for preventing attacks and mitigating damage. By discovering the different approaches for gaining network access, spreading malware infections, and extorting money, you can make sure you address a full range of potential vulnerabilities.
Definition and Overview of Ransomware
Ransomware is malicious software that encrypts sensitive data. Attackers demand a ransom in exchange for providing the decryption key. They might also threaten to steal and sell the data, or attack partner organizations. Ransomware has been in existence for decades, but cybercriminals are continuously devising new variants and new techniques.
Common types of ransomware
Healthcare organizations and other businesses often encounter one of two general types of ransomware. Crypto ransomware encrypts data, preventing users from accessing the data without the decryption key. Locker ransomware completely locks users out of their systems, though it generally leaves files and folders untouched. Users see a lock screen that shows the ransom demand, sometimes accompanied by a countdown clock.
How ransomware works
Most ransomware attacks begin with a phishing scheme. Attackers might try to trick individuals into clicking on a link within an email. That link sends them to a spoofed website, where they are prompted to enter login credentials for an app or system. The attackers then use those credentials to access the enterprise network and implant ransomware.
In other cases, users inadvertently download an attachment or visit a website that runs a malicious script to trigger a download. The ransomware starts running on an individual computer and then spreads to network systems. Ultimately, the ransomware reaches a repository of sensitive data and encrypts it, preventing authorized users from accessing it.
The impact of ransomware attacks
Ransomware can impact healthcare organizations as well as their customers and patients. Healthcare organizations often face tremendous financial consequences. Beyond paying a ransom, they might need to bear the costs of forensic investigations, data recovery, regulatory fines, and lawsuits. Many healthcare providers can also lose revenue from service disruptions.
Individuals, meanwhile, can suffer health consequences. They might be unable to contact providers, fill prescriptions, have procedures, or receive emergency care.
Notable Ransomware Examples
Most ransomware attacks follow a similar model: Attackers infect an IT environment, prevent access to sensitive data, and demand a ransom. Over the past decade, however, attackers have created new techniques and numerous ransomware variants that operate in slightly different ways.
BitPaymer
First observed in 2017, BitPaymer is ransomware that initially targeted hospitals in the United Kingdom. Attackers often use remote desktop protocol (RDP) or email schemes to gain access to enterprise networks. The ransomware encrypts files and produces numerous ransom notes, which it leaves throughout the file system.
CryptoLocker
CryptoLocker is a type of ransomware that first gained prominence in 2013. Attackers use email attachments to reach victims. Individuals receive a compressed ZIP file that contains an executable file disguised as another document, such as a PDF. Once the executable runs, the ransomware contacts an external server and encrypts files on the local drive as well as on network drives.
DarkSide
DarkSide is a for-profit ransomware group known for developing Ransomware-as-a-Service offerings for “affiliate” cybercriminals—the people who actually carry out the attacks. The affiliates can use the ransomware to launch attacks without having to write their own code. One of the most prominent attacks linked to DarkSide was the 2021 attack of the billing systems of Colonial Pipeline—an oil pipeline that supplies fuel to the Southeastern United States. The company was forced to shut down operations temporarily to contain the attack.
Dharma
Dharma is a type of ransomware that attackers install manually after hacking into IT environments using RDP. The ransomware not only encrypts files; it also enables an attacker to manually explore those files, which might lead the attacker to steal them.
DoppelPaymer
DoppelPaymer, which appeared in 2019, is based on BitPaymer ransomware. Attackers use phishing emails with links to malicious sites or attachments that execute malicious code. The code downloads a Trojan horse type of malware, which can trigger downloads of other tools designed to disable security software, explore the network, encrypt data, and change user passwords. Attackers might threaten to steal and leak data as part of the extortion scheme.
GandCrab
Discovered in 2018, GandCrab was created by a Ransomware-as-a-Service group. It became successful in part because the developers frequently updated the malware to evade security software. Those developers ended its program after less than a year, claiming that their affiliates had earned more than $2 billion.
Locky
Locky is ransomware that began infecting healthcare organizations in the United States, New Zealand, and Germany in 2016. Attacks began with spam emails that included either Microsoft Office documents with malicious macros or compressed files with malicious scripts. The macros and scripts tricked users into taking steps that would ultimately trigger the download of ransomware. The ransomware targeted file types used by software developers and engineers.
Maze
Maze ransomware, released in 2019, was initially distributed through malicious email attachments. Attackers later used RDP or VPN credentials to access networks. The ransomware explores networks, steals credentials, installs backdoors, and then encrypts data. Attackers also use this ransomware to copy data. They threaten to leak that data unless they are paid the ransom.
MedusaLocker
Released in 2019, MedusaLocker ransomware targets Windows systems. It might have been created as part of a Ransomware-as-a-Service offering. Attackers using this ransomware often employ phishing to steal credentials for RDP connections. They encrypt data and leave ransom notes in every infected folder.
NetWalker
NetWalker ransomware (initially called Mailto) was discovered in 2019. It was developed by a gang called Circus Spider as a Ransomware-as-a-Service offering. Affiliate hackers have used it to extort numerous types of organizations, including healthcare organizations. Attacks generally begin with phishing emails that include links to malicious sites or attachments with executable files. NetWalker attackers often threaten to leak data after encrypting it.
Petya and NotPetya
Released first in 2016, Petya is a family of ransomware that targets Windows-based systems. Attacks begin with phishing emails that have malicious attachments. The ransomware infects the master boot record of a computer, encrypting files and preventing Windows from booting.
In 2017, a new variant, dubbed “NotPetya,” appeared as part of a global attack. NotPetya targeted organizations—including utilities and transportation agencies—primarily in Ukraine but also in Germany, Russia, and other European countries. The ransomware encrypted files but left organizations unable to decrypt them, even after ransom was paid. Attackers might have been more interested in causing disruptions than extracting money.
REvil
REvil was a highly successful Ransomware-as-a-Service gang that operated from 2019 until it was shut down in 2022. Its developers claimed they earned more than $100 million in one year. REvil ransomware encrypted files, threatened data leaks, and demanded ransom. If the ransom was not paid in a certain amount of time, the amount demanded doubled. Attackers often gained network access through RDP.
Ryuk
First appearing in 2018, Ryuk is a family of ransomware that has been responsible for attacks on large businesses, including healthcare organizations, often with very large, multi-million-dollar demands. Ryuk ransomware shuts down processes that could thwart its progress. It encrypts data and disables the Windows system restore functionality, preventing organizations from restoring systems to a previous, clean state.
SamSam
SamSam ransomware, which might have been released as early as 2015 or 2016, has mainly targeted healthcare organizations and local government agencies in the United States. Instead of using phishing, SamSam ransomware attacks infiltrate unpatched Windows servers. This ransomware might establish a foothold within systems for a period of time before encrypting files.
WannaCry
WannaCry is one of the most well-known ransomware strains. In 2017, a large-scale WannaCry attack infected more than 200,000 computers around the world. Businesses such as FedEx, Honda, and Nissan were affected as well as the UK National Health Service. Though a security researcher turned off the ransomware within a few hours of the attack, many victims were unable to unencrypt their systems until they paid the ransom.
Hive
Hive was a Ransomware-as-a-Service group between 2021 and 2023. Focusing mainly on public institutions and healthcare organizations, Hive ransomware attackers targeted more than 1,300 companies and extracted around $100 million. Attackers used RDP, VPN, and other remote network connection capabilities, as well as phishing schemes and network intrusions, to gain access to IT environments.
Identifying Ransomware
If your organization is attacked, identifying the type of ransomware can help you respond rapidly—and effectively.
Key distinctions between different types of ransomware
Some ransomware variants can be identified by the initial attack vector. While many attacks begin with phishing, some phishing attacks implant links to malicious websites in emails, others have executable attachments disguised as some other type of document. Users might be tricked into downloading an installer—like one for Adobe Flash—that is really a ransomware executable. Other attacks focus on RDP connections or unpatched servers.
Many ransomware variants can be also distinguished by their unique behavior once they have infected a computer or accessed the network. For example, Ryuk disables the Windows restore functionality. Petya infects the master boot record of a computer, preventing it from booting.
Ransomware can also be identified by the ransom note, the file extensions appended to encrypted files, and even the coding style or strings in the malware. If the signs aren’t obvious, your organization might use a ransomware detection tool to identify the variant.
Common indicators of ransomware infection
If ransomware starts running on individual computers, users might experience slow performance, unexpected software crashes, reduced storage space, or a frozen operating system. They might find that they are redirected to suspicious pages when they browse the internet.
IT and security teams might first see a rise in spam or phishing emails across the company. They could then observe numerous attempts to access network resources or to scan the network. As they start digging deeper, they might find known hacker tools, scrambled file names or contents, and attempts to disable access directories and domain controllers. Data backup activity might also increase if the backup system tries to back up newly modified files.
Combating Ransomware
You might not be able to stop cybercriminals from targeting your organization, but you can implement a variety of best practices and cybersecurity tools that can prevent full-blown attacks and mitigate damage.
Best practices for ransomware prevention
Since many ransomware attacks begin with phishing schemes, focusing on users and endpoints will be key. Make sure employees understand how to identify phishing emails and why they should avoid clicking on suspicious links. You might also establish role-based access policies, which can prevent attackers from accessing the entire network even if they steal credentials. And you should implement robust data backup and recovery strategies, which might help you quickly recover from attacks and even refuse ransom demands.
The role of cybersecurity solutions and services
Cybersecurity solutions and services will no doubt play a vital role in your ransomware defense, whether you have an on-premises, cloud, or hybrid cloud environment. For example, you might employ antivirus and anti-malware software on endpoints to stop ransomware before it spreads. You could implement multi-factor authentication (MFA) capabilities to make it more difficult for attackers to access the network with only stolen usernames and passwords. And you could implement firewalls and network intrusion detection systems to monitor network traffic and block out known threats.
Effective incident response and recovery strategies
Having an incident response plan in place is crucial. As soon as an attack is detected, you should isolate infected systems, begin to analyze the spread of infection, and notify law enforcement. You can then attempt to remove the ransomware and restore clean data to uninfected systems—while you decide whether or not to pay the ransom. If you don’t receive a decryption key, you might need to find and use a decryption tool, and then subsequently disinfect systems. You will also have to contact affected customers or patients while quickly addressing security gaps.
The Future of Ransomware
As ransomware variants and attack techniques evolve, healthcare organizations must be ready to adjust their strategies and supplement their security capabilities.
Continued evolution of ransomware
Cybercriminals continue to integrate emerging technologies into their ransomware efforts. For example, attackers are using generative AI to write better phishing emails. And for several years, attackers have employed Ransomware-as-a-Service offerings to launch new malware variants without having to write any code themselves.
Importance of staying vigilant and prepared
How can your organization stay prepared? Participating in cybersecurity forums and communities can help you stay informed of emerging threats and enable you to discover best practices from other organizations.
Working with outside security experts and managed service providers can also help. These external resources are focused on staying up to date on ransomware trends. They can draw from threat intelligence and their accumulated client experiences to help ensure you are well informed and well prepared.
Ready to start building a better plan to defend against ransomware? Cloudticity can help. Contact us today for a free consultation.
