Ransomware: Warnings of actors targeting healthcare

December 14th, 2022

This month has seen multiple warnings and briefs regarding ransomware actors that may be targeting healthcare institutions and companies. With this being the holiday surge, there are multiple facets that may become available to threat actors to gain a foothold within the healthcare vertical.

HSS Warnings

The HSS has sent out multiple briefings highlighting automated attack suites and tool-sets that may be used to attack healthcare companies within the holiday season and beyond. Specific ransomware groups have been highlighted by this group are (https://www.hhs.gov/about/agencies/asa/ocio/hc3/products/index.html):

  • Lockbit 3
  • Blackcat
  • Royal
  • Cuba
  • Lorenz
  • Venus

These groups have seen a large uptick in activity and success through 2022 and (some) have a strong reputation with initial access brokers to obtain a foothold in companies. Reference briefs for all groups are linked at the end of the article.

Darkfeed Ransomware Tracker showing some mentioned groups obtaining new victims.

An attacker’s perspective

Whenever I have tracked ransomware a few things have always stood out to me.

  1. Low hanging fruit vulnerabilities
    • Any known vulnerabilities that are widely exploited by automated bots can/will be used as initial access to then pivot into ransomware
    • i.e. Log4Shell
  2. Social Engineering: Phishing
    • Email phishing has and probably will always be an effective method of exploitation for actors for the low bar of success. (All you need is 1)
  3. Active Directory Defaults
    • The current landscape of active directory controls being implemented and configured correctly are few and far between. These failures are the backbone of most ransomware actors.

This list is only a snippet from what has been gathered for tactics, techniques, and procedures (TTPs) used by ransomware actors. (One mainly that I have personally analyze: Conti)

There is the additional avenues used by initial access brokers. This list is basically infinite due to the vast unknown amounts of breach data sets that are circulated within closed channels and small time botnet activity. Ransomware as a Service (RAAS) actors such as Blackcat, have set programs in place for these small time actors to exponentially increase the possible amount of profit that may be achievable.

Then we have some environmental factors that I would see as being an advantage for ransomware actors in the next coming months.

The first regarding healthcare shows a large uptick in the last 30 days (roughly) to the present day. Important Note: This chart does NOT take into accounts hospitalizations related to covid, rather it is assumed to be non-covid patients. (https://www.aha.org/statistics/fast-facts-us-hospitals)

This small spike and the added stress of a surge in illness from the Flu Season could put considerable stress on the staff at healthcare providers and their vendors. This may be the reason that ransomware actors could be targeting (or may be thinking of) healthcare institutions.

I bring this up as its what I would do if I was a malicious actor. Beat them while their down, stressed, overworked because that’s when people will make mistakes. I wouldn’t want to attack a healthcare provider with social engineering attacks when there is a lull in the number of patients that are needing to be treated. I want to attack them when everything is ‘on fire’ so to speak. One, because people are more prone to mistakes. Secondly, and most importantly, I wouldn’t have to make a sophisticated attack to potentially achieve a desired outcome.


If there is a large successful campaign from any of these actors we could see something to the scale that we saw with ‘WannaCry’ back in 2017. With the lessons learned from that healthcare institutions are far better equipped (in general) than in 2017. However, continued diligence and understanding of threats and risks targeting these organizations is key to continuing to improve.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s