Over the last few months, hospitals around the world have had to deal with some of their most difficult moments. The current Covid-19 pandemic has pushed this critical infrastructure to its limits. It is so important that they function properly right now that some cybercriminal groups have even pledged not to attack hospitals during the pandemic. Others, however, have not been so supportive.
Ransomware in the time of Covid-19
In mid-March, a cyberattack brought a university hospital, which was carrying out research to stop the spread of coronavirus, to a standstill. A few weeks later, Spanish police began to detect attempts to block the IT systems of hospitals throughout the country. According to Microsoft, these incidents are not the only ones.
The tech giant’s security intelligence team has detected multiple “manually operated” targeted attacks against hospitals that were activated in early April. Microsoft had been monitoring these attacks since the beginning of the year. As such, it believes that the fact that they were activated during the peak of the covid-19 pandemic is a deliberate tactic to gain more financial benefits.
Some of the tactics used are similar to those used by APTs: Credential theft, lateral movements with Mimikatz and Cobalt Strike, reconnaissance, and data exfiltration.
Data exfiltration: An added danger
An increasingly common tactic among cybercriminals is to combine ransomware attacks with data breaches. Microsoft explains that organizations must assume that data will be stolen during the ransomware attack if the payload includes RobbinHood, Maze, PonyFinal, Vatet Loader, REvil, or Netwalker. Although only a few of these groups have a reputation for selling private information, almost all of them accessed and exfiltrated data during their attacks, even if they have not yet advertised and sold the data.
Weaknesses and vulnerabilities
To carry out these attacks, the cyberattackers exploited several weaknesses in their victims’ systems: RDP connections without multi-factor authentication, EoL platforms such as Windows 2003, misconfigured web servers, Citrix Application Delivery Controller systems affected by CVE-2019-19871 and Pulse Secure VPN systems with CVE-2019-11510.
Microsoft has also warned that the following vulnerabilities may also be exploited by the same ransomware groups: CVE-2019-0604, CVE-2020-0688, CVE-2020-10189.
Fresenius: The latest victim of ransomware
In early May, Europe’s largest private hospital operator was hit by a Snake ransomware attack. A spokesperson for the group explained that “Fresenius’ IT security detected a computer virus on company computers” and that the group’s “IT experts are continuing to work on solving the problem as quickly as possible and ensuring that operations run as smoothly as possible.”
How to shield hospitals against these attacks
It seems that these kinds of ransomware attacks against such vulnerable targets are not going to stop anytime soon. It is therefore vital that hospitals are protected against these threats so that they can carry on providing their vital service.
One of the most important steps that can be taken to avoid targeted ransomware attacks is to properly protect RDP connections: According to the FBI, between 70% and 80% of ransomware attacks begin with this protocol. If you have to use this tool—an extremely common situation these days—it is vital to use multi-factor authentication to log in.
Another vital measure is to prevent vulnerabilities from becoming the point of entry for ransomware. Many of the attacks mentioned here use vulnerabilities in their victims’ systems to make their way onto computers. To stop this situation, it is vital to be able to apply the necessary patches as soon as possible.
With Panda Patch Management you can be sure to always have the relevant patches. This module, which doesn’t require any additional deployments, not only provides patches and updates for operating systems, it also patches and updates hundreds of third-part applications. It also allows you to:
- Discover, plan, install, and monitor: It provides visibility of endpoint health in real time in regards to vulnerabilities, pending updates or patches, and EoL software.
- Audit, monitor, and prioritize updates for operating systems and applications. It allows real-time visibility into the status of pending patches and updates for the operating system and third-party applications.
- Prevent incidents, systematically reducing the attack surface created by vulnerabilities. Managing patches and updates allows you to get ahead of vulnerability exploitation.
- Contain and mitigate attacks, immediately patching one or more endpoints: The console correlates detections with vulnerabilities, minimizing response, containment, and remediation time.
Now more than ever, we must ensure that hospitals do not have to deal with any additional challenges. For this reason, it is vital to protect their IT systems.