Healthcare data breaches, many of which are caused by cyber criminal groups, continue to be a major threat to the efficiency of hospital operations and the safety of patient data. Nearly 1 million health records were breached in the U.S. in March. Below are three gangs that hospitals should be wary of.
Hive
On April 19, HHS issued an alert about Hive, warning healthcare providers to defend against the "exceptionally aggressive" ransomware group.
Within 100 days of operation, Hive has claimed attacks on about 355 companies.
The group uses many common ransomware tactics, including exploiting remote desktop protocols or VPNs, and phishing attacks, in addition to more aggressive methods, such as directly calling victims to apply pressure and negotiate ransom payments. Other tactics include searching victims' systems that are tied to backups and either terminating or disrupting those connections, deleting shadow copies, backup files and even system snapshots.
Lapsus$
On April 7, HHS issued a threat brief detailing the tactics used by the criminal group Lapsus$, which recently attacked Microsoft, Samsung and identity management service provider Okta.
Lapsus$ usually targets large companies. It does not use ransomware. Instead, it relies on bribery and extortion.
The group uses tactics ranging "from simple to moderately complex," according to HHS. Common approaches are credential theft; multifactor authentication bypass; social engineering; managed service provider compromise; SIM swapping; accessing employees' email accounts; bribing employees, suppliers or business partners of target organizations for credentials and multifactor authentication approval; and self-injection into companies' ongoing crisis communication calls.
Conti
Throughout 2021, federal agencies warned healthcare organizations about the increased use of Conti ransomware, responding to hundreds of cyberattacks claimed by the group.
During most Conti ransomware attacks, hackers steal files, encrypt servers and demand a ransom payment. Conti actors usually gain access to the network through spear phishing campaigns, stolen desktop credentials, phone calls and fake software promoted on search engines. The group's ransomware can spread itself by infecting other remote machines through shared drives on the network.
After Conti hackers steal and encrypt data, they use a double extortion tactic that demands victims pay a ransom to restore the encrypted data. They also threaten to release the data to the public if the ransom isn't paid.
In February, Conti announced its support of Russia and threatened to attack enemies of the government if they responded to the country's invasion of Ukraine.
Leaked documents emerged in February showing that Conti has offices in Russia and operates like a legitimate company, with salaried workers, bonuses, performance reviews and "employees of the month."
In March, the FBI, U.S. Secret Service and the Cybersecurity and Infrastructure Security Agency updated their information on Conti, providing a list of more than 100 domain names and naming characteristics that Conti uses to distribute ransomware.