The threat of ransomware attacks and how to stop them

By Leila Hawkins
Ransomware attacks in healthcare are rising, we take a look at how these can be prevented...

A recent study by software security firm VMware Carbon Black looked at cyberattacks among their healthcare customers and found an unprecedented figure – almost 240 million attempted attacks in 2020. This demonstrated the dramatic rise in the risk cyber criminals pose to healthcare. 

In October 2020 the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) warned of the increased threat to healthcare providers and hospitals. They cited a particular group, named UNC1878, who were behind financially motivated attacks where they used ransomware to encrypt their target and extort the owner.  

Ransomware attacks can be extremely damaging. Last year Rangely District Hospital in Colorado suffered an attack whereby the proprietary software used to access medical records was infected. The hospital didn’t pay the ransom, and five years of patient records became inaccessible. 

Perpetuators of these types of attacks often act fast, with organisations sometimes experiencing the full lifecycle of an attack in just two days.

In their report, VMware Carbon Black were able to identify the top five ransomware families currently plaguing the healthcare industry:

  • Cerber: 58% A type of malware that encrypts files and holds them hostage, demanding a ransom payment in exchange for returning them. 
  • Sodinokibi: 16% Ransomware that is highly evasive and takes many measures to prevent its detection by antivirus and other means. 
  • VBCrypt: 14% VBCrypt is a malicious program that may perform a number of actions of an attacker's choice on an affected computer. This virus targets Windows programs.  
  • Cryxos: 8% Cryxos Trojans display false alerts on compromised or malicious websites. The notifications claim that the user's computer is infected with a virus, is blocked, and some personal details have been stolen.
  • VBKrypt: 4% VBKrypt malware may drop files, write to the registry and perform other unauthorised actions on the affected computer system.

What are they stealing?

VMware’s research found “secondary infections,” across the digital healthcare supply chain, which are used to facilitate long-term cyberattack campaigns. This is leading to a surge in extortions and helping to fuel a cybercrime market mostly taking place on the dark web. 

Information that is typically being sold includes personal info and medical records, such as names, patient IDs, home addresses, and health insurance details. In the last year data containing details of patients who have taken a COVID-19 test has also been stolen and sold. 

An example VMware found was doctors’ private information, including home phone number and personnel number, being sold for $500 on the dark net. 

During the speculation last year that Hydroxychlorquine could help treat patients with COVID-19, cybercriminals began selling this on the dark web for about $1. 

How to stop ransomware attacks

Key to preventing these attacks is ensuring staff are informed and taking precautions such as scanning emails for threats, checking firewalls are working, and being mindful of phishing attacks. Staff training on security is essential for this. Additionally the following measures are important: 

  • Back up critical data so it can be restored if needed. Best practice is multiple versions of backups with different recovery points and at different locations. 
  • Use cloud-based “immutable” buckets. These let customers create buckets of data that cannot be altered in any way, for a certain period of time, including encryption by ransomware. 
  • Deploy next-generation Antivirus (AV) software that offers protection for each of the typical stages of a ransomware attack, and can prevent advanced attacks. 
  • Use an endpoint protection solution. As VMware Carbon Black’s report states: “Healthcare organisations need the ability to easily provision access to new users while maintaining data privacy, compliance, and security practices.” 

Lastly Darren Guccione, CEO of password manager app Keeper, recommends that organisations don’t pay ransoms, even if their systems have been compromised. "Cybercriminals frequently don't release access after a ransom is paid” he said. “Don't trust them. Instead, take the necessary precautions and internal control measures regarding file backup, recovery, and incident response."


Featured Articles

Johnson & Johnson: Turning supplier spend into local support

Johnson & Johnson’s Global Supplier Diversity & Inclusion team is growing spending with social enterprises around the globe to expand its impact

Seasonal Affective Disorder’s impact on health & solutions

Dr Ravi Gill & Dr. Naomi Newman-Beinart discuss Seasonal Affective Disorder and its treatments, from vitamin D spray to light therapy

CGI teams up with Totalmobile for digital healthcare service

CGI is driving efficiency in healthcare. Hear from Helena Jochberger, at Manufacturing Digital LIVE, a free virtual event on Wednesday 6th December 2023

Deloitte: generative AI can improve access to healthcare

Technology & AI

Wipro & NVIDIA’s revolutionary healthcare uses generative AI


Healthtech platform CoverSelf extends seed round to US$8.2m

Technology & AI