"HC3: Ransomware Groups Leveraged Remote Access, Encryption Tools in Q1"

The US Department of Health and Human Services' (HHS) Health Sector Cybersecurity Coordination Center (HC3) observed an increase in the use of legitimate tools such as Cobalt Strike and Mimikatz by ransomware groups during the first quarter of 2022. HC3 observed groups increasingly turning to file transfer, remote access, and encryption tools in attacks against organizations. Experts also pointed out that Initial Access Brokers (IABs) consistently sold healthcare entity network access on various cybercriminal forums throughout the first quarter. According to HC3, IABs allow Ransomware-as-a-Service (RaaS) groups to devote more time to developing malicious payloads and coordinating operations with affiliates. Over half of the discovered underground forum advertisements were for general Virtual Private Network (VPN) and Remote Desktop Protocol (RDP) access to healthcare organizations. HC3 emphasized that the COVID-19 pandemic led to the increased adoption of cloud and remote access applications by healthcare organizations, but without implementing complementary security features, thus making them more attractive targets. The growing number and availability of exploitable tools have also led ransomware groups to perform more Living off the Land (LOTL) attacks in which threat actors leverage tools already available in the target environment instead of creating and deploying their own custom malware. HC3 observed LockBit, Conti, SunCrypt, ALPHV/BlackCat, and Hive ransomware groups targeting the healthcare sector. ALPHV/BlackCat is believed to be linked to DarkSide and BlackMatter. HC3's brief also noted that financially motivated groups such as FIN7 and FIN12 have been shifting to ransomware operations. Almost 20 percent of the FIN12 attacks observed by the threat intelligence firm Mandiant were aimed at healthcare entities, and more than 70 percent of attacks targeted US-based entities. Organizations are urged to implement network Intrusion Detection and Prevention Systems (IDPS) that use network signatures and Multi-factor Authentication (MFA) in order to mitigate the different cyber threats faced by the healthcare sector. This article continues to discuss key findings and recommendations regarding ransomware attacks in the healthcare sector. 

HealthITSecurity reports "HC3: Ransomware Groups Leveraged Remote Access, Encryption Tools in Q1"