Incident Response, Malware, TDR

Ransomware targeting healthcare overshadows other sectors

Share

A new analysis of malicious threats tracked by managed security services provider Solutionary reported that ransomware attacks targeting healthcare companies comprised a whopping 88 percent of all ransomware attacks detected by the firm's Security Engineering Research Team (SERT).

The report analyzed threats discovered by the research solution during Q2 2016, from April 2016 to June 2016. Finance and education, the industries targeted by ransomware second and third most frequently received only four and six percent of attacks, respectively. All of the other industries measured in the report received less than two percent of ransomware attacks combined.

The data appears to contradict research from a ransomware special report published last week. “While attacks against the Healthcare sector have been widely reported in recent months, it does not appear among the most frequently infected sectors,” Symantec's Ransomware and Businesses 2016 report stated. “This is because most of the latest high-profile Healthcare infections were targeted attacks.”

Noting these divergant results, Solutionary threat intelligence communication manager Jon-Louis Heimerl wrote in an email to SCMagazine.com that the frame of the reports is "very important.” He noted that ransomware detections increased 198% from February 2016 to May 2016. Solutionary also observed an increase in ransomware detections within the healthcare industry beginning in February. “Based on our data, healthcare would have not been nearly as prominent in 2015,” Heimerl wrote.

He noted that the analysis measured security alerts and logs based on activity of actual ransomware. "Other industries could very well have had more ransomware attempts which were isolated and stopped by additional controls, but in the case of the healthcare industry, we saw more successful infections," wrote Heimerl.

CryptoWall attacks accounted for 93 percent of detected ransomware attacks, according to Solutionary. “Healthcare is probably the single most complex environment I've seen,” Heimerl told SCMagazine.com. Many healthcare institutions are vulnerable across multiple vectors and contain a variety of personal and financial information that would be valuable to attackers, including blackmail related information, patient data, social security numbers, and credit cards. “So you have a target on your back.”

Ransomware criminals also pay close attention to published reports about healthcare firms that have – or have not – paid ransom demands. “If you had a backup plan, were prepared ahead of time, and didn't pay the ransom, they will not target you,” he said.

Retail, healthcare, education, finance and technology companies were most frequently targeted in SQL injection and cross-site scripting (XSS) attacks. “ActiveX and Adobe products were targeted in nearly 48 percent of all attacks for the top five industries,” the report stated. “Of these, the majority of exploit attempts could have resulted in remote code execution.”

The report analyzed threats from intelligence tools such as honeypots, and examined security events detected through clients' firewalls, feeds, and incident logs. The study found that attacks from Germany accounted for 14 percent of all threats. Heimerl told SCMagazine.com that Germany has often ranked “in the top five” among other “usual suspects,” including China, Russia, Ukraine, U.K., Netherlands, and India, but said it was surprising that Germany ranked as the most frequent source of all non-U.S. based attacks this year.

Many Adobe Flash exploits were detected from Germany, according to Solutionary threat intelligence analyst Terrance DeJesus. ActiveX attacks involved previously disclosed vulnerabilities, including exploits from 2003 to 2015. DeJesus said exploits related to Internet Explorer were also frequent. “A lot of actors are crafting ‘drive-by' pages on legitimate websites like news sites.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.