GRIT Ransomware Report Spotlight: Healthcare

Recently, the GuidePoint Research and Intelligence Team (GRIT) published a report looking at ransomware trends so far in 2022, with a specific focus on how the Russian invasion of Ukraine might impact ransomware operations. We hypothesized in that report that the conflict would result in a slowdown of ransomware operations, based on the premise that many of the major ransomware groups operate from within eastern Europe and Russia. We also hypothesized that recent, large-scale leaks of operational and source code data would negatively impact the rate at which attacks occurred. If you want to see the final conclusions of that report, you can check it out here. But those final conclusions are not what we’re here to talk about today. 

So why are we here right now? As part of our analysis, we took a look at publicly available ransomware data collected from ransomware leak sites. That data gave us a view into what countries and industries tend to be targeted the most, and by which ransomware groups.

In 2021, we saw a spike in high-profile attacks targeting critical industries. What many in the cybersecurity field already knew suddenly became a hot topic: it’s imperative that we start taking the cybersecurity of our infrastructure seriously. With that in mind, we decided to dig a little deeper into a few of the top ten industries we saw in our report. Specifically, what we want to talk about today is what we found regarding ransomware attacks in the healthcare industry.

Ransomware Trends in Healthcare

While the healthcare industry has always been a lucrative target–it’s hard to delay recovering vital files while lives hang in the balance–the last two years have also made it strategically important. It makes sense, then, that healthcare came in the top ten industries with publicly posted victims. Dissecting that data further, the United States came in with almost four times the number of posted victims when compared to the next highest country, Spain. In fact, US healthcare industry victims outnumbered the combined total of all the other victim countries we observed.

As for who is responsible for those attacks, LockBit and Conti claim responsibility for a large number of attacks. While LockBit was the most impactful threat actor within the healthcare space, they weren’t as impactful as we’ve observed within other industries. Despite the lower number of victims, Conti still presents a significant concern as the second-most-frequent perpetrator.

Finally, as would be expected for an industry as important as healthcare, leak site postings were consistent across 2021 and 2022, showing a steady stream of attacks, with a significant spike in November of 2021.

So what does this mean for the healthcare industry? In the full report, we talked quite a bit about Threat Intelligence and its importance to your cybersecurity programs. If you’re in the healthcare industry, and specifically if you’re within the US or a western European country, it’s important to recognize that your organization is currently an extremely valuable target, and you should use this data as a way to bolster your defenses. If you aren’t already using one, you may want to consider investing in a Threat Intelligence Platform (TIP) and threat intelligence feeds relevant to LockBit and Conti’s known Tactics, Techniques, and Procedures. Operationalized threat intelligence may be the difference between stopping LockBit or another group, or becoming a statistic in GRIT’s next report.