The war on ransomware and what this means for the healthcare sector

The healthcare sector has always been a top target for hackers due to the large volumes of highly sensitive data these organisations hold on the public, and the total chaos that unfolds when these heavily relied upon institutions come to a standstill.

Digital healthcare requires a lot of IT and IoT systems, but many of these were never designed with security in mind. Medical devices are very beneficial to the healthcare industry, but they also have built-in security vulnerabilities that are difficult to protect against and patch. Moreover, the NHS operates a vast estate of legacy infrastructure, encompassing unsupported IoT systems that have reached the end of their operational life. This places the NHS in a particularly challenging position regarding its ability to defend against cyberattacks.

Recent ransomware groups, stats and trends

In 2023 healthcare was the third most targeted sector by attackers, and the fifth most impacted by ransomware overall, experiencing a global average of 1500 attacks per week according to Check Point’s 2024 cybersecurity report.

Additionally, in a recent report A hostage to fortune: ransomware and UK national security published by the UK Government, 2021 was described as a “watershed moment” for ransomware, with attackers achieving their ‘best year ever’. In the report, one cyber security firm claimed that the number of attacks against UK victims had increased by 233% between 2020 and 2021 and the volume of ransom payments also quadrupled. In November 2023, London’s King Edward Hospital was attacked with threats to leak members of the Royal Family’s medical records, and in December of last year there were reports that Sellafield, the UK’s most hazardous nuclear site had been hacked by cyber groups closely linked to Russia and China. One of the most recent ransomware attacks on our UK health service was in March 2024 in which a hacker group – Inc Ransom – gained possession of three terabytes of patient data from NHS Dumfries and Galloway.

Some of the most significant RaaS groups include:

• LockBit: Known for its fast encryption speed and targeting of enterprise networks.
• BlackCat, also known as ALPHV or Noberus: Known for triple-extortion tactics, BlackCat demands ransoms in exchange for avoiding further DoS attacks, decrypting compromised files, and not releasing stolen data.
• Cl0p: Emerged in 2019 and uses a collaborative ransomware-as-a-service (RaaS) model with sophisticated social engineering tactics.

The rapid growth of these RaaS groups is partly due to an efficient division of labour. This is where initial access brokers will attempt a primary hack and sell the access onto affiliates. Ransomware operators will then sell a malware source code to affiliates, and affiliates will then pay a service fee to ransomware operators for every collected ransom.

Such efficient division of labour between actors has increased the frequency of ransomware operations. It has also lowered the cost barrier to entry into ransomware, because less sophisticated criminal groups (affiliates) can purchase the required technology to conduct more advanced attacks. Furthermore, it means that ransomware actors are connected in rather loose ways, making attribution of responsibility for attacks even more difficult.

RaaS group: LockBit – it’s rise, fall and resurgence

Take in particular one of the most notorious RaaS gangs, LockBit, a criminal entity which solidified its standing as one of the most prolific and destructive ransomware entities posing significant challenges to organisations on a global scale. Since its inception in 2019, this criminal syndicate has gained infamy for its relentless ransomware campaigns, impacting over 2,000 victims worldwide and coercing payments exceeding $120 million in ransom payments. 

In fact, despite LockBit claiming that “we do not attack healthcare, education, charity organisations, social service” healthcare providers and services were noted as one of the top sectors targeted by the RaaS gang in a report by the Department of Health and Human Services, USA.

NHS 111 services and out-of-hours GP surgeries in the UK were significantly disrupted by the gang in 2022, knocking the critical healthcare service’s digital systems offline.  More recently, LockBit claimed a cyberattack on the Capital Health hospital system, demanding a large ransom in exchange for keeping the seven terabytes of sensitive medical data they stole, confidential. Even six months after the attack the healthcare institute claimed that 74 percent of its patient care was still affected.

Despite earlier this year the UK’s National Crime Agency and the US FBI led an international law enforcement action resulting in the dismantling of LockBit’s infrastructure, the criminal gang was able to swiftly revive itself. This highlights the resilience and adaptability of cybercriminals, while simultaneously throwing up an even bigger threat to organisations worldwide. With RaaS groups, such as LockBit, able to resume their services so effortlessly, it is imperative for businesses and organisations to invest in comprehensive and collaborative approaches when it comes to combating ransomware; one that involves proactive and reactive defence measures.

The way towards victory

Instead of relying solely on reactive measures, such as paying a ransom or deploying decryption tools after an attack, public and healthcare organisations must adopt a mature cybersecurity strategy to provide a more assured and comprehensive security posture that mitigates risk against rising ransomware attacks. This should include robust cybersecurity measures such as:

1) Establishing visibility by understanding IT infrastructure and conducting vulnerability assessments 2) Implementing continuous monitoring for prompt threat detection and response

3) Developing a swift and coordinated threat response plan

4) Proactively mitigating risks through measures like patch management and staff training

5) Maintaining continuous adaptation and improvement to ensure resilient cybersecurity over time

In addition to the above measures, what’s clear is that the war on ransomware is an ongoing battle that requires collective efforts from all stakeholders, including government agencies, industry partners, and the public.

The consequences of ransomware attacks extend beyond financial losses, often leading to compromised patient care, data breaches, and erosion of public trust.  As such, safeguarding our global healthcare against these aggressive and dangerous threats is critical on a number of levels while fortifying security across all organisations contributes to the overall protection of global national security.

Think Digital Identity and Cybersecurity for Government is nearly here – register your place now.