Bad cyber actors went after the healthcare market last year in a substantial way, according to experts who spoke at a webinar hosted last week by the Cyber Thre Alliance. The discussion covered some top cybersecurity threats, trends in the attack life cycle, security vulnerabilities, and major incidents that occurred in 2021.
During the session, Neil Jenkins, chief analytic officer with the Cyber Threat Alliance, and Dave Liebenberg, head of strategic analysis with Cisco Talos, discussed the Talos Incident Response Year-in-Review for 2021 and offered some perspective on what threats may yet lie ahead.
Liebenberg said healthcare was the top targeted sector for three of the four quarters last year. “The exception being Q3, in the fall, which was local governments,” he said. “Even then, healthcare was a close second.” In the last half of 2020, healthcare was also the top target of cyber threats, Liebenberg said, coinciding with and overlapping the pandemic.
Jenkins asked if the threats to healthcare mainly targeted hospitals or included biopharmaceutical companies dealing with espionage attempts related to COVID-19 research.
“It did include some research organizations,” Liebenberg said. “Most of the [data] exfiltration we saw was actually directed more towards hospitals and involved exfiltrating personally identifiable information.”
Top Threat 2021: Ransomware
Ransomware ranked “by a mile” as the top type of threat in 2021, Liebenberg said, continuing a longstanding trend. “With the exception of Q1, every quarter besides that ransomware took up nearly 50% of all the threats that we saw,” he said. That spoke to the concerns businesses must have about ransomware attempts, Liebenberg said.
Other types of threats may exist, such as the early 2021 data breach of the Microsoft Exchange Server, but he said ransomware remains at the forefront as a recurring, frequent, and dominant issue.
In 2020 and through early 2021, many incidents were attributed to the Ryuk ransomware family, Liebenberg said. By the second quarter of 2021, Ryuk and REvil, both of which have alleged roots in Russian criminal groups, tied as the topmost observed sources of ransomware incidents with new emerging threats. “That same quarter, we see shift happening,” he said. “That same quarter, we also identify 13 other ransomware families.”
A number of criminal rings behind the ransomware attacks broke up and reformed into new groups, driving new democratized evolutions of such threats, Liebenberg said. “Ryuk becomes Conti; DoppelPaymer to Grief; DarkSide to BlackMatter.”
Recent threats include a shift from commodity Trojan horses to new tools such as Cobalt Strike attacks, he said, as well as the GMER rootkit remover being used to disable security software.
‘Crypto Miners … Truly Do Not Care’
With more bad actors gaining the means to launch ransomware attacks, some tip their hands faster than others. “The quickest you’ll ever see are crypto miners,” Liebenberg said. “They truly do not care. They just have the worst tradecraft possible. As soon as the [proof of capacity] is released, they are dumping it out, modding it out. They’re the first ones you see.”
After crypto miners, more advanced groups may surface, such as advanced persistent threat (APT) or ransomware groups, he said. Business email cases, along with related phishing messages, also ranked among serious threats to enterprises, Liebenberg said, but the rise of crypto has made its mark on the digital underworld.
“Cryptocurrency miners… they are just evergreen,” he said. “Who knows if they’ll ever go away.” Any time a new vulnerability is released, floods of cryptocurrency botnets try to target that vulnerability, Liebenberg said.
The types of targets that cybercriminals go after in the future might shift from larger, high-value targets to smaller targets as law enforcement cracks down, but threats can remain for organizations of all sizes. “We are in a very in flux, geopolitical situation right now,” Liebenberg said, hinting at Russia’s recent invasion of Ukraine. “I do predict a lot of current, larger [cybercriminal] groups will look to avoid scrutiny. You can’t discount a new, brash actor stepping in to do something stupid.”