At the end of October 2020, Check Point reported that hospitals and healthcare organisations had been targeted by a rising wave of ransomware attacks, with the majority of attacks using the infamous Ryuk ransomware. This followed a Joint Cybersecurity Advisory issued by the CISA, FBI and NHS, which warned of an increased and imminent cybercrime threat to US hospitals and healthcare providers.

And this wave of attacks has continued, involving a range of vectors, including ransomware, botnets, remote code execution and DDoS attacks.

However, Check Point states that ransomware shows the largest increase and is the biggest malware threat to healthcare organisations when compared to other industry sectors.

Ransomware attacks against hospitals and related organisations are particularly damaging, because any disruption to their systems could affect their ability to deliver care, and endanger life – which is aggravated by the pressures these systems face in coping with the global increase in Covid-19 cases.

Global overview of attacks

* Since 1 November 2020 there has been an increase of over 45% in the number of attacks seen against healthcare organisations globally, compared to an average 22% increase in attacks against other industry sectors.

* The average number of weekly attacks in the healthcare sector reached 626 per organisation in November, compared with 430 in October.

* Attacks involving ransomware, botnets, remote code execution and DDoS all increased in November, with ransomware attacks showing the biggest spike when compared to other industry sectors.

* The main ransomware variant used in attacks is Ryuk, followed by Sodinokibi.

Why are attacks spiking now?

The major motivation for threat actors with these attacks is financial. They are looking for large amounts of money, and fast. It seems that these attacks have paid off very well for the criminals behind them over the past year, and this success has made them hungry for more.

Because hospitals are under tremendous pressure due to the ongoing rise in coronavirus cases, many are willing to pay ransom so they can continue to provide care during this critical time.

In September it was reported by German authorities that what appears to have been a misdirected hacker attack caused the failure of IT systems at a major hospital in Dusseldorf, and a woman who needed urgent admission died after she had to be taken to another city for treatment. No hospital or healthcare organisation would want to experience a similar scenario, increasing the likelihood of the organisation meeting the attacker’s demands in the hope of minimizing disruption.

Unlike common ransomware attacks, which are widely distributed via massive spam campaigns and exploit kits, the attacks against hospitals and healthcare organizations using the Ryuk variant are specifically tailored and targeted.

Ryuk was first discovered in mid-2018, and soon after, Check Point Research published the first thorough analysis of this new Ransomware, which was targeting the US. In 2020, Check Point researchers at CPR monitored Ryuk activity globally and observed the increase in Ryuk’s use in attacks aimed at the healthcare sector.

The Covid-19 cyber landscape

From an upsurge in the registration of coronavirus-related malicious domains, to the use of related topics in phishing and ransomware attacks, and even fraud advertisements offering Covid vaccines for sale, unprecedented increase in cyber-exploits seeking to compromise personal data, spread malware and steal money has been seen.

Medical services and research organisations became targets for attacks seeking to steal valuable commercial and professional information, or to disrupt vital research operations. The use of test and trace apps for tracking individuals, which previously would have caused strong privacy-related opposition, has widely been adopted around the world, and is expected to outlive the pandemic.

As the world’s attention continues to focus on dealing with the pandemic, cyber-criminals will also continue to use and try to exploit that focus for their own illegal purposes.