
How Patient Data is Fueling Dark Web Markets, Extortion
VMware Carbon Black Head of Global Communications Samantha Mayowa discusses how secondary covid-19 infections are used to facilitate long-term cyberattack campaigns across the digital healthcare supply chain. This has allegedly led to a surge of extortions and helped fuel demand for data on dark web markets.
By Samantha Mayowa
On the frontline of the pandemic, perhaps no industry was impacted and forced to innovate and transform as quickly as healthcare in 2020. Whether it was the rapid development of COVID-19 testing technology or the explosion of telehealth, healthcare organizations accelerated digital transformation in record time. But with these innovations came new and unprecedented security vulnerabilities that cybercriminals quickly looked to exploit and profit from.
To help understand the state of healthcare cybersecurity, we looked back at 2020 and found that there were 239.4 million attempted cyberattacks targeting VMware Carbon Black healthcare customers. We also found an average of 816 attempted attacks per endpoint in 2020, a staggering 9,851% increase from 2019. The surge in attacks began as early as February just as the pandemic started to spread worldwide. From January to February, the number of attempted attacks shot up by 51% as cybercriminals set their sights on vulnerable healthcare organizations that were navigating tremendous changes in the way they operate and treat patients.
In the latter half of the year, we saw the attempted attacks per endpoint peak with an 87% increase from September to October.
According to VMware Principal Cybersecurity Strategist Rick McElroy, the timing of this significant spike corresponds with the October alert from the Cybersecurity and Infrastructure Security Agency (CISA), which warned of increased cyberattacks by a Ryuk ransomware gang specifically targeting healthcare organizations.
“Amid the pandemic, cybercriminals now have limitless attack methods. Whether it’s using tried and true malware like EMOTET or using BitLocker to ransom systems, malicious actors continue to gain ground. The FBI, Department of Homeland Security, and other federal agencies have all issued warnings about the surge in cyberattacks against healthcare organizations,” says McElroy.
We are now also seeing “secondary infections,” which are leveraged to facilitate long-term cyberattack campaigns, happening across the digital healthcare supply chain and have led to a surge of extortions and helped fuel a cybercrime market. Our research found protected health information (PHI) being bought and sold on dark web markets as cybercriminals look for the easiest way to cash in on data.
In 2020, we saw ransomware go mainstream. The wide-reaching impact of ransomware has been assisted largely by way of affiliate programs. With many ransomware groups offering ransomware-as-a-service (RaaS), making the deployment of ransomware easily accessible to millions of cybercriminals who previously didn’t have the tools to carry out these attacks. Compounding these risks is the adage of affiliate programs for ransomware groups, providing new and unique ways for malware operators to have others deploy their payloads for a cut of the eventual profits.
Throughout 2020, we have seen expansions in the use of ransomware with some threat actors repurposing ransomware for use as pure wipers, wherein the decryption keys will be able to recover the lost data, and more recently in Denial-of-Service (DoS) attacks, impacting core services that citizens rely on every day. There is no sign of these groups slowing down. In fact, we are witnessing the exact opposite, with groups beginning to collaborate at an unprecedented scale, share stolen resources, and even combine forces.
According to VMware Senior Cybersecurity Strategist Greg Foss, COVID-19 test results are a hot commodity on the dark web right now, mostly in the form of large data dumps.
“An interesting component around today’s ransomware attacks is that underqualified, lesser-known cybercriminal groups are behind them thanks to the rise in RaaS. All it takes is a quick search on the dark web for someone to license out a ransomware payload to infect targets. Today, it’s unfortunately just as easy to sign up for a grocery delivery service as it is to subscribe to ransomware. As RaaS explodes in popularity on the crimeware forums, cybercriminals are finding new and unique ways to deploy ransomware across organizations. Similar to how spies are recruited for espionage against government agencies, regular everyday people with access to high-value targets can be recruited to deploy malware. Often, they are lured through offers of significant sums of money or even a percentage of the ransomware payout, with some offering hundreds of thousands of dollars per victimized organization,” says Foss.
Affiliate programs and partnerships between ransomware groups have also become a common occurrence alongside the general recruiting of insiders. These affiliate programs look to partner with initial access brokers – criminals that specialize in breaking into organizations and subsequently sell direct access and other ransomware gangs in order to improve their tradecraft, furthering their reach and overall profitability.
Ed. Featured image courtesy of Photo by EVG Culture.



