Ransomware variants proliferating. Why? Attacks pay off for cybercriminals
Ransomware has been around for several years, now – since 2012, at least. But so far, 2016 has seen this type of malware set its sights on healthcare like never before.
Even more vexing, variants of the virus are evolving at alarming speeds. By the time you read this, there could be half a dozen more newly-identified.
Why? Because it's working.
"Financial success has likely led to a proliferation of ransomware variants," according to a joint alert issued by the The United States Department of Homeland Security and the Canadian Cyber Incident Response Center on March 31.
Sign up for the Healthcare IT News Privacy & Security Update newsletter.
In 2013, ransomware species such as Xorist, CryptorBit and CryptoLocker were set loose in the wild, the alert points out. By the beginning of this year, a new threatening variant – known as Locky – was "observed infecting computers belonging to healthcare facilities and hospitals," propagating itself through spam emails with corrupted Microsoft Office documents with malicious macros.
Next up was Samas, also known as SamSa or samsam, which begain to proliferate in early spring – most notably striking MedStar Health, which was so paralyzed for a time that it was forced to turn away patients. Unlike Locky, Samas takes advantage of vulnerable Web servers to infect the organization’s networks.
Maktub Locker was another ransomware type that made a name for itself in April, insinuating itself through phishing emails with .ZIP-like attachments. Once opened, MakTub encrypts all data and systems connected to the network.
HIMSS Privacy and Security Director Lee Kim said that a ransomware infection can happen quickly, as Maktub is an "all-in-one" attack; other viruses require a downloaded key and send a message "home" to gain access to encrypting tools, she said.
[Special report: Ransomware to get worse, hackers targeting whales, IoT triggers new vulnerabilities]
Another corrupting variant, PowerWare, like Locky, is delivered through an email attachment that resembles a Microsoft Work invoice. But PowerWare does its damage via PowerShell, Microsoft's task automation tool.
For those keeping track: that's seven separate variants of ransomware – many cropping up in the first few months of 2016. As long as cyber crooks can keep finding success attacking hospitals and healthcare organizations, it seems a safe bet there will be more.
"Ransomware has really found its sweet spot in the critical infrastructure of healthcare," said Ben Johnson, chief security strategist, at Carbon Black.
Since hospitals can't afford to have their critical data compromised, he said, executives may even be likely to pay up.
Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com