IBM X-Force Report Reveals Healthcare Cyberattacks Doubled in 2020

The IBM X-Force published a new report that shows healthcare cyberattacks had a 100% increase in 2020 and 28% of attacks were ransomware attacks. The substantial increase in healthcare sector cyberattacks put the sector on the 7th rank. The finance and insurance market is still the most intensely targeted, next are the manufacturing, energy, retail, professional services, and government. Healthcare cyberattacks made up 6.6% of attacks across all industry sectors in 2020.

The 2021 X-Force Threat Intelligence Index report was put together from monitoring data from over 130 countries and involved information from over 150 billion security events every day, with the data collected from several sources such as IBM Security X-Force Threat Intelligence and Incident Response, IBM Managed Security Services, X-Force Red, and external sources like Intezer and Quad9.

The most typical way networks were breached was the exploitation of vulnerabilities in operating systems, software programs, and hardware, which comprised 35% of all attacks up from 30% in 2019. This was closely followed by phishing attacks, which were the preliminary entry point in 33% of cyberattacks, higher than the 31% in 2019.

2020 was the first year when IBM X-Force began publishing its annual threat index reports. The report reveals that the exploitation of vulnerabilities was more prevalent than phishing as the first attack vector, which was mostly a result of the global switch to a distributed labor force in response to the pandemic.

Around 1/5 of cyberattacks in 2020 involved the exploitation of flaws in Citrix servers, which were utilized to help remote employees. Out of all attacks that involve taking advantage of Citrix vulnerabilities, healthcare placed third making up 17% of all cyberattacks. Credential theft-associated attacks ranked third in the initial attack vector list and accounted for 18% of all attacks, less than 29% in 2019.

In healthcare particularly, ransomware attacks increased greatly. In general, 23% of security incidents in 2020 involved ransomware, higher than the 20% in 2019. 28% of all cyberattacks on the healthcare sector used ransomware. These attacks frequently involved information theft prior to file encryption to compel victims into paying the ransom demand to avoid the exposure or selling of stolen data. 59% of ransomware attacks in 2020 used this double-extortion strategy.

In 22% of ransomware attacks, attackers used the Sodinokibi. The researchers say that the Sodinokibi gang’s ransom payments amounted to $123 million in 2020. Other very active ransomware operations included Netwalker, RagnarLocker, Ryuk, and Maze, which each got a share of 7% of the attacks.

Ransomware was the major attack type, followed by data theft, and server access. Data theft grew by 160% year-over-year, with a big proportion of the attacks because of the Emotet Trojan. Server access grew by 233% in the last 12 months, for the most part involving the exploitation of vulnerabilities and the utilization of stolen credentials.  Business email compromise (BEC) attacks diminished in 2020, from 14% in 2019 to 9% in 2020. Insider breaches dropped from 6% to 5% of attacks, with misconfigurations the same with 5% of attacks. Remote Access Trojan (RAT) attacks got a prominent growth from 2% of cyberattacks in 2019 to 6% in 2020.

Server access and BEC attacks were the second and third most popular types of healthcare cyberattacks. Each type accounted for 18% of attacks in 2020. Data theft, insider incidents, and misconfigurations each got 9% of attacks.

The higher cyberattacks in the healthcare industry were mainly caused by the industry being greatly targeted by ransomware gangs and threat actors focusing on COVID-19-related research institutions. It could have been much worse for the healthcare industry. Security researchers were aware that the Ryuk ransomware group was preparing a targeted campaign in October to attack 400 hospitals. Thankfully, hard work by cybersecurity firms and law enforcement restricted the attacks to only 9 out of the 400 hospitals.