Healthcare Sector Attacked Most Commonly With Downloaders and Ransomware

Blackberry has lately released its Global Threat Intelligence Report, which gives useful and contextualized intelligence that may be employed to enhance cyber strength. The report used information gathered by Blackberry and threat intelligence furnished by third parties, collected over 90 days from September to November 2022.

All through the reporting time, downloaders were one of the most frequently noticed threats. Downloaders are malicious software programs that usually disguise as legit digital files and executables and are employed to download a variety of other malicious software programs. When installed, these downloaders typically stay not noticed for extended periods and form big botnets of corrupted devices. The agents of these botnets work with other threat actors to send third-party payloads. Emotet is one of the most often utilized downloaders. It first appeared in 2014 in the form of a banking Trojan. In April 2021, a global law enforcement operation was able to shut down the Emotet botnet, however, it was later rebuilt and was used once again in late 2021. Following a 4-month hiatus in 2022, it continued its activity, with the botnet expanding through phishing emails that have malicious Office attachments. Emotet frequently downloads the IcedID banking Trojan, which subsequently frequently sends ransomware payloads.

Qakbot is yet another well-known downloader that is likewise sent out in phishing emails. The emails usually include an LNK hyperlink that brings the recipient to a malicious website that prompts a ZIP file download. The ZIP files have an executable file that contains the QakBot. QakBot could hijack current message threads for distribution, targeting persons in the contact list of victims, making it seem that the email messages were delivered as a reply to an earlier chat. The QakBot operators give preliminary access to systems for a number of ransomware operations. The researchers of Blackberry likewise discovered a rise in GuLoader, which is frequently employed to deliver data stealers like Racoon and Redline, with the malicious payloads and malicious Telegram bots usually located on cloud services like One Drive and Google Cloud. All through 2022, LockBit was the most often used ransomware type and continued to be so all through the 90-day research period. Racoon and RedLine were the most frequently seen data stealers, while FlawedAmmyy and njRAT were the most frequently discovered remote-access Trojans.

For its newest report, Blackberry examined ransomware attacks on the healthcare industry. Researchers state that the industry is notably prone to attacks because of the extensive usage of medical technologies with a long service life, the complicated and frequently interconnected character of healthcare programs, and the substantial amounts of sensitive information that are regularly gathered and kept. Ransomware still presents the greatest threat to the healthcare industry, and all the threat actors that depend on ransomware are actively attacking the healthcare sector. Though certain ransomware-as-a-service operations assert have operating guidelines forbidding attacks on the medical field, those promises are not certain and there are many instances where healthcare companies were attacked in spite of these set rules.

Qakbot was the most often seen Trojan in attacks on the healthcare industry, most often to give access to healthcare systems for ransomware affiliates and preliminary access brokers. Emotet wasn’t very active within the evaluation period, though attacks are estimated to escalate. Meterpreter, a payload sent through Metasploit, and BloodHound were active throughout the evaluation phase and were utilized in attacks on the healthcare industry. One attack utilized Meterpreter together with SharpHound, a collector for BloodHound usually employed for lateral movement. The researchers repeated CISA’s advice and recommended the network. System administrators deliberately implement BloodHound to know potential attack routes.

A number of attacks on the industry included TinyNuke. TinyNuke was employed to send the Netwire RAT, and certain attacks concerned the PlugX RAT, which is frequently employed by nation-state actors like Mustang Panda, which indicates nation-state actors and cyber threat actors are actively attacking the industry. Data stealers like Racoon and RedLine were substantially employed in attacks in 2022; nevertheless, these malware variants don’t seem to have been employed particularly to attack the industry.

The financially driven threat group, TA505, stays very active and has attacked the healthcare industry. The group is identified to utilize the FlawedAmmyy RAT, Clop ransomware, and banking Trojans. ALPHV is a fairly new cybercriminal gang that is carrying out attacks on the medical care industry. The group usually uses BlackCat ransomware and is noted for utilizing revolutionary extortion strategies and non-traditional attack strategies. ALPHV professed accountability for the latest attack on NextGen Healthcare. APT32, the threat actor based in Vietnam, Mustang Panda, the Chinese APT group, APT29, the Russian threat actor, and TA542, the cybercriminal group, have likewise been very active and have a record of attacking healthcare companies.

The researchers think the healthcare sector will remain targeted all through 2023 and ransomware will continue to be one of the greatest threats. They additionally foresee more cloud infrastructure targeted attacks while threat actors strive to get extra visibility into the companies that they want to challenge or get revenue.


About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at