Let’s Chat: Healthcare Threats and Who’s Attacking

December 20, 2018  |  Tawnya Lancaster

Healthcare is under fire and there’s no sign of the burn slowing.

Look, it’s no secret that hackers have been targeting hospitals and other healthcare providers for several years — and probably no surprise that healthcare is one of the top target industries for cybercrime in 2018. In the US alone, in fact, more than 270 data breaches affecting nearly 12 million individuals were submitted to the U.S. HHS Office for Civil Rights breach portal (as of November 30, 2018). This includes the likes of unauthorized access or disclosures of patient data, hacking, theft of data, data loss and more.

Bottom line, if you’re tasked with protecting any entity operating in the healthcare sector, you’re likely experiencing some very sleepless nights — and may just need a doctor yourself.

So . . . who’s wreaking all this havoc and how? According to AlienVault Labs, opportunistic ransomware is still a preferred method of attack. However, researchers are reporting a rise in the number of targeted ransomware attacks in the healthcare sector. These attacks are often backed by organized criminals who see opportunities for making money from healthcare providers and other similar entities who must protect and keep assets, systems, and networks continuously operating.

One such criminal group operating the SamSam ransomware is thought to have earned more than $5 million dollars by manually compromising critical healthcare networks (see below for more info). The group behind SamSam has invested heavily in their operations (likely an organized crime syndicate) and has won the distinction of being the subjects of two FBI Alerts in 2018.

And, according to AlienVault Labs, the methods used by SamSam are more akin to a targeted attack than typical opportunistic ransomware. SamSam attacks also seem to go in waves. One of the most notable was a spring 2018 hit on a large New York hospital which publicly declined to pay the attacker’s $44,000 ransomware demand. It took a month for the hospital’s IT system to be fully restored.  

SamSam attackers are known to:

  • Gain remote access through traditional attacks, such as JBoss exploits

  • Deploy web-shells

  • Connect to RDP over HTTP tunnels such as ReGeorg

  • Run batch scripts to deploy the ransomware over machines

SamSam isn’t going away either. AlienVault Labs has seen recent variants. You might want to read more about the threat actors behind SamSam, their methods of attacks, and recommendations for heading it off in the AlienVault Open Threat Exchange (OTX), our community of 100,000 users who contribute information on threat intelligence which is also curated by AlienVault Labs.  

You can also get more details from the AlienVault blog post “SamSam Ransomware Targeted Attacks Continue.”  And, you can find detailed recommendations for preparing for SamSam and other, related attacks from HHS, FBI and US-CERT.

Wait! There’s More.

Here’s an overview of the trending threats AlienVault Labs has identified for 2018.  

What We’re Seeing

How to Learn More

Other, opportunistic ransomware threats for criminal gain  . . .

The most commonly seen threat to the healthcare in 2018 remains opportunistic. This is typically ransomware that targets anyone who happens to be vulnerable. And, it continues to cause an outsized amount of damage to the industry.

Some examples of the most damaging will likely trigger your memory: WannaCry indicators, GrandCrab Ransomware, VSSDestroy Ransomware


Defray ransomware

Off-the-shelf ransomware used to target the healthcare sector

GandCrab ransomware puts the pinch on victims

VSSDestroy ransomware

WannaCry indicators

Fallout exploit kit releases the Kraken ransomware on Its victims


Targeted threats for criminal gain . . .

There are a number of organized criminals who have moved to targeting healthcare providers with  targeted ransomware due to the criticality of continued operation.

One example is the SamSam ransomware.


SamSam ransomware campaigns

SamSam — the evolution continues netting over $325,000 in 4 weeks

SamSam ransomware

SamSam: the doctor will see you, after he Pays the ransom


Targeted threats for espionage that are led by organized crime . . .

Threat actors are committing  corporate espionage for criminal gain — for example, by gaining insight into drug trials to inform investment decisions.

Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia

Powerful threat actor Wild Neutron returns for economic espionage

FIN4 group is hacking the street

More information from the FIN4 group attacking public companies

Parasite HTTP RAT cooks up a stew of stealthy tricks


Targeted threats for espionage, let by nation states . . .

Whilst rare, there are some threat actors that commit espionage against the healthcare sector to provide assistance to state-owned companies or to retrieve the healthcare data of high-profile individuals.

Network health: advanced cyber threats to the medical & life sciences industries

Tropic Troopers new strategy

Intrusions affecting multiple victims across multiple sectors

Wekby attacks use DNS for C2

Indian organizations targeted in Suckfly attacks

Black Vine: Formidable cyberespionage group


Want more information? 

There are a number of organizations, such as Healthcare-ISAC, that can provide additional information on threats seen within the healthcare sector.

For any queries regarding this report, please contact labs@alienvault.com.

Share this with others

Get price Free trial