Executive Summary
Multiple ransomware families have been used to target the healthcare vertical in the past year. In this report, we cover recently reported attacks on the healthcare vertical leveraging Maui and Quantum ransomware families.
Key Takeaways
- Disruptions to healthcare entities due to ransomware can result in injury or death of patients.
- US legislators are working on ways to bolster cybersecurity in the healthcare vertical.
- North Korean state-sponsored threat actors used Maui ransomware to target multiple entities in the healthcare vertical.
- Threat actors using Quantum ransomware targeted a third-party payment service provider, accessing healthcare data for over 1.9 million individuals.
According to The Guardian, ransomware attacks on US healthcare organizations have increased 94% since last year. Reporters at The Guardian stressed the dangers of these attacks, as disruption in healthcare operations can result in death or injury due to delayed treatments, ambulances being diverted to other facilities, and equipment failure. They cited a 2019 incident in which a newborn baby born to Teiranni Kidd died from fatal brain damage after a ransomware attack caused heart rate monitors to fail. Agencies and legislators are looking for ways to improve cybersecurity for the healthcare vertical to prevent such incidents. In March 2022, the US Senate proposed a bipartisan bill, called the Healthcare Cybersecurity Act, which would direct CISA and HHS to collaborate on measures to bolster the healthcare vertical’s cybersecurity.
Attack on Boston Children’s Hospital Thwarted
Earlier this year, FBI Director Christopher Wray said the FBI thwarted an attack on a healthcare organization in 2021. The attack targeting Boston Children’s Hospital was carried out by an unnamed Iranian state-sponsored threat actor group. While the malware used was not disclosed, the attack could have resulted in a system-wide shutdown and ransom demands, negatively affecting patient care.
What is Maui Ransomware?
Earlier this month, the FBI, CISA, and the Department of the Treasury released an advisory on North Korean state-sponsored threat actor activity targeting the healthcare and public health (HPH) sector. The advisory stated the FBI has been monitoring multiple Maui ransomware incidents since May 2021. The threat actors used Maui to encrypt servers used for healthcare services, including electronic health records, diagnostic services, imaging services, and intranet services. Some of these incidents led to prolonged disruption of services.
The advisory states the ransomware is an encryption binary designed to be manually executed by a threat actor. The threat actors then use the command line interface to interact with the malware and identify which files to encrypt. Maui’s encryption scheme uses a combination of AES, RSA, and XOR encryption. The agencies were unable to determine the initial access vectors used by the threat actors. Additional information on threat actor attribution was not provided in the advisory.
In June 2022, Silas Cutler at Stairwell released a report on their analysis of Maui ransomware. They noted Maui differs from most commodity ransomware in that it requires manual interaction from the threat actors and does not contain an embedded ransom note or an automated means of transmitting encryption keys to attackers.
What is Quantum Ransomware?
According to Bleeping Computer, Professional Finance Company Inc. (PFC) recently reported information on a February 2022 ransomware attack that affected their systems. PFC is an accounts receivable company used by multiple healthcare organizations for payments. PFC began notifying affected customers of the breach in May, alerting them of data stolen prior to encryption. Sensitive patient information stolen in the attacks included patient names, addresses, payment information, SSN, birthdates, and medical treatment information. PFC publicly released a list of the 657 affected organizations.
While PFC did not release details on the ransomware used in the attack, AdvIntel CEO Vitali Kremez told Bleeping Computer that Quantum ransomware was used in the attacks. According to Kremez, the threat actors moved laterally in the environment using Cobalt Strike and exfiltrated stolen data using command line tools. According to the US Department of Health and Human Services, the data of over 1.9 million individuals were affected by the attack.
Quantum ransomware attacks on other verticals were reported in 2022. In one instance, the threat actors used an IcedID payload contained in an ISO image to compromise the victim machine. PolySwarm reported on IcedID in April. The threat actors used a PowerShell Cobalt Strike beacon for lateral movement and copied the ransomware .exe to each host through the C$ share folder. They used WMI and PsExec to detonate the binary. The total time between the initial compromise to ransom was less than four hours.
Cybereason classified Quantum ransomware as a high severity threat. They have observed the threat actors behind Quantum carrying out full-on RansomOps attacks. They noted the group carries out double extortion attacks, using the Quantum Blog TOR site for leaks. The group claimed at least seven new victims since April 2022. So far, reported ransom amounts range from $150,000 USD to multi-millions.
Quantum ransomware is a rebrand of MountLocker, which was first seen in the wild in September 2020. The group has rebranded multiple times and is also known for AstroLocker and XingLocker ransomware. Quantum ransomware was first observed in July 2021, with the .quantum extension appended to encrypted files. Some of the former members of the Conti group are reportedly involved with Quantum activity. This follows the trend of former Conti operators joining other ransomware and extortion groups, including Hive, AvosLocker, BlackCat, Karakurt, BlackByte, and Bazarcall.
IOCs
PolySwarm has multiple samples of ransomware families known to target the healthcare vertical.
Maui
5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e
45d8ac1ac692d6bb0fe776620371fca02b60cac8db23c4cc7ab5df262da42b78
830207029d83fd46a4a89cd623103ba2321b866428aa04360376e6a390063570
You can use the following CLI command to search for all Maui samples in our portal:
$ polyswarm link list -f Maui
Quantum
d9ccbf38c1234f851767aff6c5a3d69c66024088830612ccbd98fdee263865ad
6d3e0b022af4179054b44e3a751675dfb86c3d2489e348cc14d1e05aab9bfa60
b3063cfab140602d4e327a56face10128c320aebd11549d08e43b9a408b40a08
883132eb3a97f79f2f25cc911f4034785897c52f8d937083f182a78ea8b3f241
2c84b5162ef66c154c66fed1d14f348e5e0054dff486a63f0473165fdbee9b2e
c140ae0ae0d71c2ebaf956c92595560e8883a99a3f347dfab2a886a8fb00d4d3
6f6f71fa3a83da86d2aba79c92664d335acb9d581646fa6e30c35e76cf61cbb7
b63e94928da25e18caa1506305b9ca3dedc267e747dfa4710860e757d2cc8192
1d64879bf7b1c7aea1d3c2c0171b31a329d026dc4e2f1c876d7ec7cae17bbc58
239d1c7cfd5b244b10c56abbf966f226e6a0cb91800e9c683ba427641e642f10
3bb2f8c2d2d1c8da2a2051bd9621099689c5cd0a6b12aa8cb5739759e843e5e6
4a76a28498b7f391cdc2be73124b4225497232540247ca3662abd9ab2210be36
5bc00ad792d4ddac7d8568f98a717caff9d5ef389ed355a15b892cc10ab2887b
511c1021fad76670d6d407139e5fef62b34ca9656fb735bd7d406728568fa280
84f016ece77ddd7d611ffc0cbb2ce24184aeee3a2fdbb9d44d0837bc533ba238
5a9028518866ce9fc3847f4704060f71e1c572132ec3f1845f29023a659f9daf
0f3bb820adf6d3bba54988ef40d8188ae48b34b757277e86728bdb8441d01ea2
e7864c93e18b9b93ca4e2b9733d1eb7a3924ba14c14bfb6372b3c04a5fbc20ea
470dfdb7b24b8eb2ff991e6a86759e1acbbeac65e19bd1c8768880f9f9b72ccb
0789a9c0a0d4f3422cb4e9b8e64f1ba92f7b88e2edfd14b7b9a7f5eee5135a4f
5ee53b9e31b4b97d2027883ef3fa08cde92344558852aa5286dfb3042b314c93
e2023e1b27adb44333b4f016a9e105625734e3040207aef0fd13f70aa12c4199
faf49653a0f057ed09a75c4dfc01e4d8e6fef203d0102a5947a73db80be0db1d
076737e5e088fe2883053ab51e675838921161f78ba8ae35421b61afbd5b2193
1b611c3c06550ff5c726c9a5d750823a39f89d3d133864323ddc7e11e38b0c0e
c74873d7b8cc622379ed49bd0b0e477167ae176aa329b01338666ec4c1a4426b
You can use the following CLI command to search for all Quantum samples in our portal:
$ polyswarm link list -f Quantum
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports