KillNet, Royal, LockBit: The cybercriminal groups on hospital CISOs' minds

As if healthcare chief information security officers didn't already have enough on their minds, they are now dealing with increasingly sophisticated international cybercriminal and ransomware organizations targeting U.S. hospitals and health systems. 

Here is a rundown of recent attacks, the biggest offenders, their motivations, tactics and more. 

Russian hackers targeting NATO

KillNet, a Russian hacktivist group, made headlines this week for a DDoS, or distributed denial of service, attack that disrupted the websites of 17 hospitals and health systems. 

DDoS attacks flood target servers or websites with thousands of connection requests and packets per minute, eventually leading to a slowdown or stoppage.

While the group's ties to the Russian Federal Security Service are unconfirmed, KillNet's targets typically include critical infrastructure in NATO countries supporting Ukraine.

In December, the HHS Cybersecurity Coordination Center warned U.S. healthcare organizations about the threat posed by KillNet.

Financial payout

Beyond groups motivated by geopolitical factors, ransomware groups hoping to receive a hefty payout are still targeting U.S. healthcare systems.

"The one I would keep an eye out for is Royal ransomware," Steven Ramirez, CISO of Reno, Nev.-based Renown Health, told Becker's. "Reports show this is a highly sophisticated group, with many members being former Conti ransomware members — with them having familiarity with healthcare, having experienced team members and adding in the element that they have an effective attack methodology."

The group delivers ransomware to their victims through so-called callback phishing, where attackers impersonate a business, typically claiming the victim needs to pay a bill or renew a subscription.

"They will then use social engineering tactics to lure victims into installing remote access software," Mr. Ramirez said. "It is important that healthcare organizations continue their phishing defense practices, ensure they have multifactor authentication and monitor for anomalies associated with this gang's practices."

New tactics 

While multifactor authentication is certainly an effective tool against cyberattacks, some CISOs are concerned that it isn't a guarantee of safety.

"I am more concerned lately about organized malicious teams that are focusing on multifactor authentication fatigue behaviors," Ann Arbor-based Michigan Medicine CISO Jack Kufahl told Becker's.

"These tactics flood the workplace with illegitimate requests for users to allow the actor to digitally coattail into the protected systems after their usernames and passwords have been obtained," Mr. Kufahl said. "Gangs that leverage those techniques appear to be having a larger degree of success lately but also have an indirect impact on healthcare through our third-party services we depend upon."

A false sense of security

One of the largest ransomware gangs, LockBit, made news in January when it attacked Toronto-based SickKids, one of the largest pediatric hospitals in Canada, and then appeared to apologize for it.

The group operates on a ransomware-as-a-service model where they work with affiliated hackers. In the attack on SickKids, the gang said the affiliate who disabled the pediatric hospital's website, phone lines and corporate function lines violated the group's rules of engagement.

LockBit then offered an encryption key to SickKids and said it removed the affiliate who conducted the attack from its gang.

However, just because a group appears to abide by a code doesn't mean they aren't any less dangerous to healthcare organizations.

"I think that gives folks a false sense of altruism and obfuscates the fact that they're [LockBit] (reportedly) the largest ransomware gang, encourages targeting health systems and critical infrastructure so long as they're not encrypted, and promotes data theft and ransoming against its disclosure," Aaron Weismann, CISO of Radnor Township, Pa.-based Main Line Health, told Becker's. "The reputational and regulatory impacts from that shouldn't be minimized and can cost organizations millions."

Financial and legal damages

Whether for geopolitical or monetary reasons, cybercriminal groups are having an increasingly detrimental effect on health systems' bottom lines. A cyberattack on a Peru, Ill.-based St. Margaret's Health hospital was partially to blame for its closure, its leaders said. 

The massive ransomware attack on Chicago-based CommonSpirit that led to a data breach affecting at least 623,774 patients has serious legal repercussions for the health system.

Beyond the legal and financial impacts, cyberattacks on hospitals can also threaten the safety and wellbeing of patients. In a survey of healthcare IT professionals from cybersecurity firm Censinet, 45 percent of respondents said that ransomware attacks lead to an increased risk of complications from medical procedures.

In 2022, cybercriminal organizations saw a 40 percent drop in revenue as more victims refused to pay their ransoms. While this may seem like good news, it is also a reason to remain vigilant as these groups evolve and try to find new sources of income in 2023.

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.


Featured Whitepapers

Featured Webinars