Multiple ransomware families have been used to target the healthcare vertical in the past year. In this report, we cover recently reported attacks on the healthcare vertical leveraging Maui and Quantum ransomware families.
- Disruptions to healthcare entities due to ransomware can result in injury or death of patients.
- US legislators are working on ways to bolster cybersecurity in the healthcare vertical.
- North Korean state-sponsored threat actors used Maui ransomware to target multiple entities in the healthcare vertical.
- Threat actors using Quantum ransomware targeted a third-party payment service provider, accessing healthcare data for over 1.9 million individuals.
According to The Guardian, ransomware attacks on US healthcare organizations have increased 94% since last year. Reporters at The Guardian stressed the dangers of these attacks, as disruption in healthcare operations can result in death or injury due to delayed treatments, ambulances being diverted to other facilities, and equipment failure. They cited a 2019 incident in which a newborn baby born to Teiranni Kidd died from fatal brain damage after a ransomware attack caused heart rate monitors to fail. Agencies and legislators are looking for ways to improve cybersecurity for the healthcare vertical to prevent such incidents. In March 2022, the US Senate proposed a bipartisan bill, called the Healthcare Cybersecurity Act, which would direct CISA and HHS to collaborate on measures to bolster the healthcare vertical’s cybersecurity.
Attack on Boston Children’s Hospital Thwarted
Earlier this year, FBI Director Christopher Wray said the FBI thwarted an attack on a healthcare organization in 2021. The attack targeting Boston Children’s Hospital was carried out by an unnamed Iranian state-sponsored threat actor group. While the malware used was not disclosed, the attack could have resulted in a system-wide shutdown and ransom demands, negatively affecting patient care.
What is Maui Ransomware?
Earlier this month, the FBI, CISA, and the Department of the Treasury released an advisory on North Korean state-sponsored threat actor activity targeting the healthcare and public health (HPH) sector. The advisory stated the FBI has been monitoring multiple Maui ransomware incidents since May 2021. The threat actors used Maui to encrypt servers used for healthcare services, including electronic health records, diagnostic services, imaging services, and intranet services. Some of these incidents led to prolonged disruption of services.
The advisory states the ransomware is an encryption binary designed to be manually executed by a threat actor. The threat actors then use the command line interface to interact with the malware and identify which files to encrypt. Maui’s encryption scheme uses a combination of AES, RSA, and XOR encryption. The agencies were unable to determine the initial access vectors used by the threat actors. Additional information on threat actor attribution was not provided in the advisory.
In June 2022, Silas Cutler at Stairwell released a report on their analysis of Maui ransomware. They noted Maui differs from most commodity ransomware in that it requires manual interaction from the threat actors and does not contain an embedded ransom note or an automated means of transmitting encryption keys to attackers.
What is Quantum Ransomware?
According to Bleeping Computer, Professional Finance Company Inc. (PFC) recently reported information on a February 2022 ransomware attack that affected their systems. PFC is an accounts receivable company used by multiple healthcare organizations for payments. PFC began notifying affected customers of the breach in May, alerting them of data stolen prior to encryption. Sensitive patient information stolen in the attacks included patient names, addresses, payment information, SSN, birthdates, and medical treatment information. PFC publicly released a list of the 657 affected organizations.
While PFC did not release details on the ransomware used in the attack, AdvIntel CEO Vitali Kremez told Bleeping Computer that Quantum ransomware was used in the attacks. According to Kremez, the threat actors moved laterally in the environment using Cobalt Strike and exfiltrated stolen data using command line tools. According to the US Department of Health and Human Services, the data of over 1.9 million individuals were affected by the attack.
Quantum ransomware attacks on other verticals were reported in 2022. In one instance, the threat actors used an IcedID payload contained in an ISO image to compromise the victim machine. PolySwarm reported on IcedID in April. The threat actors used a PowerShell Cobalt Strike beacon for lateral movement and copied the ransomware .exe to each host through the C$ share folder. They used WMI and PsExec to detonate the binary. The total time between the initial compromise to ransom was less than four hours.
Cybereason classified Quantum ransomware as a high severity threat. They have observed the threat actors behind Quantum carrying out full-on RansomOps attacks. They noted the group carries out double extortion attacks, using the Quantum Blog TOR site for leaks. The group claimed at least seven new victims since April 2022. So far, reported ransom amounts range from $150,000 USD to multi-millions.
Quantum ransomware is a rebrand of MountLocker, which was first seen in the wild in September 2020. The group has rebranded multiple times and is also known for AstroLocker and XingLocker ransomware. Quantum ransomware was first observed in July 2021, with the .quantum extension appended to encrypted files. Some of the former members of the Conti group are reportedly involved with Quantum activity. This follows the trend of former Conti operators joining other ransomware and extortion groups, including Hive, AvosLocker, BlackCat, Karakurt, BlackByte, and Bazarcall.
PolySwarm has multiple samples of ransomware families known to target the healthcare vertical.
You can use the following CLI command to search for all Maui samples in our portal:
$ polyswarm link list -f Maui
You can use the following CLI command to search for all Quantum samples in our portal:
$ polyswarm link list -f Quantum
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at firstname.lastname@example.org | Check out our blog | Subscribe to our reports