Fraud Management & Cybercrime , Ransomware , Social Engineering
Sophos: Attacks Drop in Nearly All Sectors But Healthcare
Survey Finds 37% of Providers Take Over a Month to Recover From RansomwareRansomware attacks are declining across many sectors - but not in healthcare, where an ongoing surge is reaching a four-year high in incidents, according to a new research report from security firm Sophos.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
Of 402 healthcare organizations surveyed by Sophos, two-thirds reported suffering a ransomware attack in the past year, up from 60% in 2023. In comparison, the number of respondents hit by ransomware attacks across all sectors fell to 59% in 2024, down from 66% in 2023, the report released on Thursday says.
Sophos, which surveyed 5,000 IT leaders across 15 sectors and 14 countries between January and February, said the amount of time it takes healthcare organizations to recover from ransomware attacks is growing increasingly longer. Thirty-seven percent took over a month to recover, up from 28% in 2023. Only 22% of healthcare ransomware victims said they fully recovered in a week or less, a big drop from 47% reported in 2023 and 54% in 2022.
The increased severity and complexity of attacks are factors in the longer recoveries - and also contribute to the inclination by many healthcare sector entities to pay a ransom, said John Shier, field CTO at Sophos.
"Healthcare is an industry where such attacks on organizations can have an enormous impact," he told Information Security Media Group. The potential to affect patient care is a major concern with these attacks. In the past, anecdotally, some ransomware groups had a red line against attacking healthcare sector entities, but that tenet has been eliminated by many gangs and their affiliates, especially Russian-based cybercriminals in the wake of the Ukraine war, he said.
About 74% of ransomware attacks on healthcare organizations resulted in data encryption - nearly the same encryption rate reported in 2023, but higher than the global cross sector average of 70%, the report says.
In healthcare, 25% of respondents said their attacks were stopped before data was encrypted, about the same as last year. Healthcare respondents also reported that in 22% of incidents where data was encrypted, data was also stolen. That's an improvement over last year, when 37% of healthcare respondents reported their attacks also involved data theft.
About 66% of healthcare respondents said their backups were compromised during their attacks - and when that happens, those organizations are twice as likely to pay a ransom, Shier said. In those cases, the ransom demands often increase, he said.
In fact, ransom demands were, on average, more than three times higher when backups were encrypted, versus attacks where backups were not compromised. In such cases, the median ransom demand was $4.4 million when backups were compromised vs. $1.3 million.
The Sophos study found that in the healthcare sector, when a victim paid a ransom, insurance providers transferred the funds for 39% of ransom transactions, either directly - 19% - or through their appointed incident response specialist - 21%.
The victim organization made almost half - 47%- of payments, while 7% were executed by the victim's legal firm. About 27% of ransom transfers were facilitated by incident response specialists, whether appointed by the insurance provider - 21% - or another party, typically the victim.
The rash of ransomware incidents in the healthcare sector this year includes the record-breaking attack and data theft in February on UnitedHealth Group's Change Healthcare, which affected about one-third of the U.S. population. UHG is also a healthcare sector entity that paid a ransom - $22 million to ransomware gang BlackCat.
Exploited vulnerabilities, compromised credentials, malicious email and phishing were the root causes of ransomware attacks in the healthcare sector - similar to other industries.
While patching vulnerabilities "as soon as possible" and using multifactor authentication on VPNs and other critical devices are important deterrents for falling victim, many healthcare entities are resistant to hindering clinicians quick access to certain patient care devices, such as monitoring equipment and medication dispensing systems, Shier said.
"We need to think about architecturally what to do with the infrastructure to make sure if a threat actor does gain access to someone's finance or HR computer, there are layers of protection and detection in place that would impede the actors from gaining access to those very vital patient systems that can't have as high a level of protection."