Locky ransomware spread in global campaign against health sector

News by Max Metzger

FireEye researchers have spotted a Locky ransomware campaign targeting the healthcare sector around the world

A security researcher claims to have spotted  a global ransomware campaign aimed at hospitals on the horizon.

Ronghwa Chong, a Singapore-based FireEye researcher posted yesterday on FireEye's Threat Research Blog, that his recent research showed a series of email campaigns, aiming Locky  ransomware at the healthcare sector throughout August.

The campaign was noticed when, at the beginning of August, Locky ransomware started being distributed on a large scale with DOCM email attachments. Further analysis showed  similarities in macro code between several spikes of Locky.

For example, each separate campaign has its own unique code used to download the ransomware from a malicious server. Furthermore,  the macro code is embedded using a malicious URL which uses the same encoding function, but a different key for each campaign.

The campaign hit targets all over the world, but primarily affected the United States, Japan and South Korea.

Chong noted, “These detection spikes and change in tactics suggest that the cybercriminals are investing more to infect systems and maximise their profits. Additionally, we have observed that the delivery of Dridex via this distribution channel seems to have stopped, or nearly so, which could explain why we are seeing the Locky uptick.”

Technical aspects aside, the more troubling part of this research is where this campaign is aimed: the healthcare sector.

Earlier this year, a salvo of ransomware attacks on hospitals locked staff out of their computer systems and significantly hindered day to day operations.

Perhaps the most notable of those attacks was the February attack on Hollywood Presbyterian Medical Center which hamstrung the busy hospital for nearly two weeks and resulted in the hospital paying $17,000  (£13,000) to the ransomers.

Ben Johnson, co-founder of Carbon Black told SCMagazineUK.com earlier this year that the healthcare sector is one of the most lucrative targets for cyber-criminals these days: “Cyber crime has found its sweet spot. Healthcare records are valuable and system uptime is so critical that hospitals are more likely to pay a ransom quickly in order to get their files back.”

Healthcare records can now go for ten times the price of credit card details. Furthermore, they contain a great bounty of personally identifiable information.

Johnson added, “healthcare organisations are also still lagging in the security game; they are an easier target than a bank. Unfortunately for healthcare, the hacker eye has shifted in their direction and they are mercilessly taking advantage of this period of unpreparedness.”

Expanding, Jens Monrad, global threat liaison at FireEye told SC that, “the healthcare sector and in particular hospitals have typically a very complex network infrastructure and if you look at the criticality of the systems, one could argue that victims are more likely to consider paying a ransom.”

Monrad said: “Due to the more disconnected and less centrally controlled environment, it might also take longer to detect an actual compromise, compared to a centralised infrastructure, that we see in many enterprises”

Independent Security Evaluators (ISE), a Baltimore-based security firm, evaluated the condition of the US health sector earlier in the year, giving a poor diagnosis.

Ted Harrington, executive partner at ISE gave SC a rationale behind ransomware's continued assault against healthcare, “is likely due to the fact that ransomware has proven to yield profit, as evidence by Presbyterian, MedStar, and other hospitals that were hit and paid the ransom during the wave in February/March.”

“While ransomware is obviously a technique utilised by those who seek to obtain profit, there is a very important collateral damage to consider: impact to patient health. When healthcare organisations are victimised by ransomware, they are unable to deliver care as effectively.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews