Ryuk/Conti Ransomware Attacks Cost Hospitals Over $500 Million During Covid

Posted May 3, 2022

During the COVID-19 pandemic, the world witnessed a dramatic increase in cyber attacks as businesses transitioned employees to a work-from-anywhere environment and criminals took advantage of unsuspecting users. Through the attacks, healthcare quickly became one of the most targeted industries. During the height of the pandemic, the FBI and DHS repeatedly issued warnings of credible cyber threats targeting healthcare providers.

One of the more ruthless threat actors during this time was a ransomware group known as Ryuk (aka Conti). Conti gained notoriety when they publicly declared they would refrain from targeting healthcare providers in an apparent gesture of goodwill. The declaration added a new twist to the war on cybercrime as the criminal tried to portray themselves as considerate, sympathetic, or even slightly ethical. But in a new lawsuit filed by Microsoft, it appears the pledge was a lie as Conti targeted hundreds of healthcare facilities.

Several parties have joined Microsoft’s efforts in the lawsuit including Errol Weiss, a former penetration tester for the U.S. National Security Agency (NSA). Weiss now serves as the chief security officer of the Health Information Sharing & Analysis Center (H-ISAC), an industry group that shares information about cyberattacks against healthcare providers.

According to Weiss, “Hospitals reported revenue losses due to Ryuk infections of nearly $100 million from data I obtained through interviews with hospital staff, public statements, and media articles. The Ryuk attacks also caused an estimated $500 million in costs to respond to the attacks – costs that include ransomware payments, digital forensic services, security improvements and upgrading impacted systems plus other expenses.”

In the early stages of the pandemic, the Conti gang had already accessed more than 400 healthcare facilities in the U.S. alone. And their attacks on healthcare continue today.

In May 2021, an FBI Flash report detailed the breadth and tactics of the continuing attacks:

The FBI identified at least 16 Conti ransomware attacks targeting US healthcare and first responder networks, including law enforcement agencies, emergency medical services, 911 dispatch centers, and municipalities within the last year. These healthcare and first responder networks are among the more than 400 organizations worldwide victimized by Conti, over 290 of which are located in the U.S. Like most ransomware variants, Conti typically steals victims’ files and encrypts the servers and workstations in an effort to force a ransom payment from the victim. The ransom letter instructs victims to contact the actors through an online portal to complete the transaction. If the ransom is not paid, the stolen data is sold or published to a public site controlled by the Conti actors. Ransom amounts vary wide ly and we assess are tailored to the victim. Recent ransom demands have been as high as $25 million

Since the beginning of 2022, Conti has claimed responsibility for hacking a cancer testing lab, a medical prescription service online, a biomedical testing facility, a pharmaceutical company, and a spinal surgery center.

The May FBI Flash report goes on to state that Conti typically gains access to victim’s networks through stolen Remote Desktop Protocol (RPD) credentials, along with weaponized office documents and email attachments. Recommended mitigation steps include:

Regularly back up data, air gap, and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
Implement network segmentation.
Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).
Install updates/patch operating systems, software, and firmware as soon as they are released.
Use multi-factor authentication where possible.
Use strong passwords and regularly change passwords to network systems and accounts, implementing the shortest acceptable timeframe for password changes. Avoid reusing passwords for multiple accounts.
Disable unused remote access/RDP ports and monitor remote access/RDP logs.
Require administrator credentials to install software.
Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
Install and regularly update anti-virus and anti-malware software on all hosts.
Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.
Consider adding an email banner to messages coming from outside your organizations.
Disable hyperlinks in received emails.
Focus on cyber security awareness and training. Regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams).

Scott Anderson

Scott Anderson is Partner / CTO of Verus Corp. He works with mid- and large-sized companies to ensure that all of their managed IT service needs are met to their highest standards. Scott knows that giving customers exactly what they need requires flexibility and patience. He works with each department to carry out documentation and the processes of providing managed IT services. Every position that Scott has held has been largely focused on customer service. This expertise and experience means that you’ll be getting a holistic and customer-centered experience from Verus Corp, from installation to troubleshooting. Scott has provided services that have helped Verus Corp be named a Cisco Select Partner and WatchGuard Partner of the Year. Most recently, Verus Corp was named the second best place to work by the Minneapolis/St. Paul Business Journal. Scott has a Bachelor’s in Speech from St. Cloud State University.