‘Classic’ Cerber ransomware targets health sector in high volumes

Healthcare organisations using VMware’s Carbon Black services thwarted almost 240 million attempted cyber attacks during 2020, an average of 816 attempted attacks per endpoint. Cerber ransomware accounted for 58% of attacks, followed by Sodinokibi, VBCrypt, Cryxos and VBKrypt.

Cerber, which has been around for some time, operates a ransomware-as-a-service (RaaS) model where it is purchased and spread by affiliate groups, who pay a commission on their ill-gotten gains. It has been known to spread as free online software, via malicious email attachments, or installed via unpatched software vulnerabilities. It can prevent antivirus tools from executing and uses RSA encryption, so there are currently no means to decrypt it for free.

Greg Foss, senior cyber security strategist at VMware Carbon Black, said: “As RaaS explodes in popularity on the crimeware forums, cyber criminals are finding new and unique ways to deploy ransomware across organisations.

“Similar to how spies are recruited for espionage against government agencies, regular everyday people with access to high-value targets can be recruited to deploy malware. Often, they are lured through offers of significant sums of money or even a percentage of the ransomware payout, with some offering hundreds of thousands of dollars per victimised organisation.

“Affiliate programmes and partnerships between ransomware groups have also become a common occurrence alongside the general recruiting of insiders. These affiliate programmes look to partner with initial access brokers – criminals that specialise in breaking into organisations and subsequently sell direct access and other ransomware gangs in order to improve their tradecraft, furthering their reach and overall profitability.”

While it is no secret that cyber attacks against the health sector have surged over the past 11 months, Carbon Black’s researchers say they saw notable spikes in September and October 2020 – coinciding with specific warnings about the activities of the Ryuk crime gang – and malicious activity seems to be ramping up.

The team said it is now observing a dramatic increase in secondary infections being leveraged in support of longer-term cyber attack campaigns. These are happening across the digital healthcare supply chain and have already led to a surge in extortions.

It is also now finding significant volumes of protected health information data being bought and sold on dark web markets, and healthcare organisations are beginning to see more denial of service (DoS) attacks impacting core services.

There are also worrying signs of cyber criminal groups beginning to collaborate on “an unprecedented scale” to share stolen resources and combine forces against healthcare organisations.

Moving through 2021, and with government mismanagement of the pandemic resulting in significant community transmission of Covid-19, the emergence of evasive new variants of the virus and diplomatic spats over vaccine availability, it is clear that healthcare organisations will continue to be extorted by cyber criminals.

Carbon Black said it is now critical for security teams to pay close attention not just to how such criminals achieve their goals, but also how they respond to such threats. The team called for global collaboration between the security community and the healthcare sector, using organisations such as non-profit H-ISAC to bring the industry together and share intelligence.