Cyber threats in healthcare are constantly evolving and becoming more complex. A recent report released by Mandiant Intelligence uncovered the very real threat FIN12 ransomware poses to the healthcare sector. According to the report, 20% of FIN12 ransomware attacks target the healthcare sector. Healthcare organizations in North America in particular have cause for concern, with 85% of FIN12 ransomware attacks targeting victims in North America.
While many ransomware groups are morally opposed to targeting healthcare organizations, FIN12 is not. Jeremey Kennelly, senior manager and principal analyst at Mandiant explained, “The mere fact of systems being unavailable causes huge disruption to these organizations. And thus, there is probably a perception amongst these actors that despite the bad look of targeting a healthcare organization, a healthcare organization is going to have a stronger argument to potentially pay a ransom in order to get their system online.”
What Makes FIN12 Such a Threat?
Unlike many other ransomware groups, FIN actors specifically focus their efforts on ransomware deployment, relying on other threat actors for initial access to victims’ systems. Specializing in a specific phase of the attack lifecycle allows threat actors to become more sophisticated and to be more successful and efficient in their attacks. This becomes more evident by the fact that FIN12 has been able to cut its time-to-ransom (TTR) in half. According to the report, the group can go through the lifecycle of a cyberattack in less than 3 days.
Kennelly noted, “In the vast majority of cases they are not stealing data, but merely encrypting. They are just breaking into organizations or obtaining access from other actors to learn a little bit about the network and immediately deploying ransomware.”
While there is no pattern to how FIN12 is gaining access to these organizations, one method that they have used in the past is a “BazarLoader.” According to the HHS, BazarLoader uses business-themed emails containing a link to a Google Docs file, and BazarBackdoor is capable of exfiltrating files from a victim, terminating running processes, and executing arbitrary payloads.
Protecting Your Business Against Threats
Cyber threats in healthcare can be mitigated in several ways. “It all comes down to credential management, privilege management, and being able to monitor how authentication is occurring across the environment,” Kennelly advised.
Credentials compromised in one attack can cause ongoing issues when login credentials are reused over multiple platforms. For instance, login credentials stolen from an attack on a social media platform could be used to access an employee account, and the sensitive company information they have access to. This is why it is imperative to use different usernames and passwords for different platforms, and ensure that they are strong passwords.
One of the best ways a healthcare organization can prevent becoming a victim of a cyberattack is by becoming HIPAA compliant. HIPAA compliant organizations are inherently more secure as HIPAA imposes a multitude of security requirements. HIPAA security requirements include annual security risk assessments, remediation efforts, encryption, multifactor authentication, access management, data access monitoring, and employee cybersecurity awareness training. All of these requirements improve an organization’s security posture, reducing the risk of being victimized by a healthcare cyber threat.
