Why Healthcare Is the Perfect Target for Ransomware

Cyber attacks continue to pose an immense challenge to healthcare providers. 

Already this year, there have been 386 reported healthcare cyber-attacks, with data theft and ransomware continuing at an alarming pace. This matches the severity of 2023, the worst year on record for healthcare breaches. However, the impact of these attacks in 2024 has been even more profound. 

Healthcare organizations have become prime targets for ransomware attacks due to the critical nature of their operations and the high potential for financial gain. Disrupting access to patient data or vital medical systems can lead to life-threatening consequences, putting immense pressure on healthcare providers to restore functionality quickly. Furthermore, sensitive patient data is highly valuable on the dark web and often used as leverage in corporate extortion schemes, as medical records are far more valuable than stolen credit cards because medical information is permanent, unlike credit cards that can be quickly canceled. 

Ransomware has already crippled numerous hospitals worldwide, forcing many to consider paying ransoms to resume operations swiftly. It is by far the most significant threat facing healthcare today. 

Here’s what security executives need to know: 

RaaS is driving the threat

Many ransomware groups now operate under a Ransomware-as-a-Service (RaaS) model, dramatically expanding their impact. This model enables core operators to recruit affiliates who carry out attacks in exchange for a share of the ransom payments. This system allows attackers with limited technical skills to launch highly sophisticated ransomware attacks.

An example is RansomHub, one of the most active groups targeting the healthcare sector. It attracts affiliates with an enticing offer: partners keep 90% of the ransom revenue, while only 10% goes to the group for access to its infrastructure.

In return, affiliates receive advanced attack tools and other benefits, making targeting hospitals and healthcare institutions easier. This model significantly raises the threat level, providing both the incentive and the tools to launch large-scale attacks on vulnerable healthcare systems. 

Third-party providers pose major risks 

Hospitals rely heavily on third-party providers, such as medical device suppliers, supply chain vendors, and more, to deliver essential life-saving services and support business operations tied to clinical care. As a result, when these third parties are hit, hospitals and their patients are affected, even if the hospital itself isn’t the direct target. The impact on patient care can be even more severe when essential third-party technology and services are affected.

For example, when UnitedHealth Group’s Change Healthcare was attacked by the Russian ransomware group ALPHV/BlackCat, many hospitals in the country were impacted in some way, marking the most significant and consequential cyberattack in U.S. healthcare history.  

The American Hospital Association states that in 2023, 58% of the 77.3 million individuals who were affected by healthcare data breaches were impacted due to attacks on healthcare business associates — a staggering 287% increase compared to 2022. 

Are there any rules in the Dark Web?

Ransomware groups often claim to follow specific ethical guidelines when targeting healthcare institutions. However, these rules are inconsistently followed, and exceptions seem increasingly common. 

LockBit RaaS, for example, has established rules for its affiliates, stating that certain healthcare organizations, such as cardiology centers, neurosurgical departments, and maternity hospitals, are off-limits for attacks. However, they still allow data theft from medical facilities, as long as encryption isn't involved. In practice, these rules seem to be inconsistently applied. 

In April 2023, LockBit issued a public apology after one of its affiliates carried out an unauthorized attack on Olympia Community Unit School District 16, which led to the affiliate being removed. Despite this, the group's actions have become more aggressive. In December 2023, they targeted St. Anthony's Hospital in Chicago, demanding a $800,000 ransom from the non-profit hospital. 

LockBit is not the only group that has an inconsistent approach. Kill Security, another RaaS operation, claims that attacking critical infrastructure, including hospitals, is only allowed with special approval from the administrator. Yet, despite these supposed restrictions, the group continues to be highly active in targeting healthcare organizations. 

However, there is one rule that most RaaS groups consistently follow: they avoid targeting Commonwealth of Independent States (CIS) countries. 

Early signs of ransomware attacks

It’s crucial to take a proactive approach to safeguarding against ransomware. Recognizing the early signs of an attack can significantly reduce the impact. The most common warning signs of an impending ransomware attack include the following:

• Ransomware attacks often start with a surge in phishing attempts. If employees notice an increase in spam or suspicious emails, it could indicate that cybercriminals are attempting to deliver malware.
• A rise in failed login attempts, especially targeting privileged accounts, is another key indicator. Attackers may be probing the network, trying to crack user credentials to gain unauthorized access.
• A sudden decrease in network performance, particularly during normal operations, may indicate that ransomware is in the process of encrypting files. Similarly, a sudden spike in network traffic, especially outgoing traffic to unknown IP addresses or suspicious connections, may indicate ransomware communicating with command-and-control servers.
• Cybercriminals often target backups by corrupting or encrypting them and disabling security software, making recovery efforts more challenging.
• If a few devices or systems are encrypted, it might be a test by attackers to assess their strategy before launching a full-scale ransomware attack. This early stage requires immediate attention and response.
• If files suddenly have unfamiliar extensions or cannot be opened, it may be an early sign of encryption attempts by ransomware.

How to act when a ransomware attack occurs

 It's important to note that the U.S. government advises against paying ransoms for several reasons. First, making a ransom payment doesn’t always guarantee data return or compromised systems' security.

In February 2024, BlackCat RaaS operators refused to share a $22 million ransom payment from UnitedHealth Group with their affiliate, RansomHub. A month later, RansomHub listed Change Healthcare on its leak site, claiming possession of 4TB of stolen data and threatening to release it unless a ransom is paid to the group, too. Additionally, paying a ransom to groups located in U.S.-sanctioned regions or listed on sanctions can be illegal. 

In the event of a ransomware attack, organizations are encouraged to use the Ransomware Response Checklist provided by CISA. Companies should also report the attack to law enforcement agencies like the FBI, CISA, or the U.S. Secret Service. These agencies can assist in preventing future attacks and may be able to recover or decrypt data without a financial cost. 

To minimize the risks associated with ransomware incidents, companies should follow the best security practices outlined in the #StopRansomware Guide, developed by the Joint Ransomware Task Force (JRTF).