This inaugural alert provides takeaways from Kroll’s second quarter (Q2) 2022 Threat Landscape Report and mitigation solutions to neutralize those threats.

• The Healthcare Industry (Healthcare) saw a 90% increase in ransomware attacks in Q2.
• Although phishing e-mails remain the top initial access point, threat actors’ use of external remote services increased by 700%.
• Ransomware actors continue to use a dual-extortion approach, leaking sensitive data on the dark web if clients refuse to pay for the encryption keys.
• Multi-factor authentication and updated password requirements are simple, standard solutions to help fortify networks from these threat actors.
• Ransomware attacks continue to grow. Knowing where your risks lie and how to respond if clients come under attack is essential to recovering operations.

Ransomware hit Healthcare the hardest in the Q2 of 2022. During these months, threat actors re-discovered opportune ways to employ these devastating weapons. For our Healthcare partners to confront this concerning trend, the best defense is a good offense backed by a battle plan that knows how the enemy fights.

When the ransomware group Conti disbanded in May of 2022, the Healthcare sector took a brief sigh of relief. Prior to that, for over a year, this Russia-based criminal organization wreaked havoc on hospitals and first responders. Unfortunately, the reprieve did not last long, as the Healthcare industry saw a 90% increase in ransomware attacks in the aftermath of Conti disbanding, according to Kroll. Newcomers to the underworld, such as the Black Basta ransomware group, filled the void left by Conti.

Organizations’ workforces continue to be a point of weakness, as phishing emails remain a top initial access method for ransomware. Spoofed emails¹ containing infected links or attached files allowed attackers to infect entire systems in a matter of weeks. Once inside the systems, threat actors exfiltrate sensitive data then deploy ransomware―encrypting entire systems. Significant ransom demands attach to the restoration of these encrypted systems. If organizations do not engage in the ransom demand and do not pay for “keys” to de-crypt their systems―for example, because they may be able to restore from back up―threat actors will threaten or begin to slowly leak sensitive data onto the dark web until they are paid.²

Although phishing remained the top initial access method, Kroll also saw a 700% increase in the use of external remote services by threat actors. Platforms such as remote desktop protocols and virtual private networks, often used to support the hybrid or remote work models, served as the most used venue for ransomware. The last time Kroll saw this type of increase in leveraging remote services was at the height of the pandemic.

To combat these trends, Kroll recommends organizations proactively push defensive measures across their enterprise. This includes deploying updated password requirements and multi-factor authentication, which goes a long way in preventing the exploitation of remote services. Organizations should impress diligence on their employees in identifying fraudulent emails with suspicious links or attachments and follow up with internal test-phishing campaigns. Finally, Kroll recommends employing screening and blocking tools for particular links or attachments in emails.

Kroll’s report should serve as a reminder to Healthcare organizations of the growing threat of ransomware and the need for self-assessment. The constantly changing tactics, techniques, and procedures of threat actors re-emphasizes the Health Insurance Portability and Accountability Act (HIPAA) requirement and the Office for Civil Rights messaging on the importance of frequent risk assessments and updates to organization’s risk management program. When (not if) a threat actor finds its way into organization’s networks, understanding what is likely to come next and how to respond will save organizations time, money, and, for Healthcare organizations, potentially lives.

FOOTNOTES

¹ A spoofed email is an email that appears to be from a known or valid email address but actually comes from a fraudulent domain, which can only be seen in the details.

² There are many ways to avoid paying a threat actor―and indeed, recent Office of Foreign Assets Control guidelines may prohibit such payment, but this narrative provides an overview of the typical threat actor process for information purposes.