Clearwater Cyber Briefing: Key Trends and Takeaways for December 2024

In today’s ever-evolving threat landscape, staying ahead of cybersecurity risks is more critical than ever for healthcare organizations. That’s why, each month, Clearwater Security delivers a Cyber Briefing, providing a comprehensive digest of the latest news, emerging threats, and key updates from across the healthcare cybersecurity ecosystem. These briefings are designed to equip healthcare leaders with the knowledge and insights they need to safeguard their organizations and stay informed on the most pressing issues.

This session was led by Steve Cagle, Clearwater CEO, and each session highlights the latest cybersecurity threats targeting healthcare, shares expert recommendations on how to mitigate these risks, and reviews real-world incidents with actionable takeaways. Additionally, the briefing covers important regulatory updates, explaining how new standards and frameworks, such as NIST 2.0 and HIPAA, impact the healthcare sector. Following this overview, we feature in-depth discussions with subject matter experts, who dive into the complex challenges healthcare organizations face and offer solutions to strengthen cybersecurity defenses.

Read below for a detailed review of December’s key trends and takeaways.

State of the Sector

New Ransomware Group Targeting Healthcare With New TTPs and Double Extortion 

This year has been a record-breaking year for all the wrong reasons. 

With 2024 inching to a close, OCR has investigated more than 640 breaches affecting more than 172 million healthcare records.  

Even before OCR tallies final numbers for the year, it’s already beating the previous record of 167.7 million record exposures in 2023, which was three times higher than the 56.5 million record exposures in 2022. 

Previously, some industry focus has been on these breaches happening across the supply chain, originating with business associates or health plans and negatively impacting providers, hospitals, and other healthcare services. Increasingly, though, physician groups and specialty service providers are coming under direct attack by threat actors.  

One provider group recently fell victim to a triple ransomware attack that exposed more than 360,000 records. Rocky Mountain Gastroenterology Associates PLLC, the largest gastroenterology group in the Colorado Rocky Mountain region, was left dealing with the repercussions of a triple cyberattack led by RansomHub, Meow, and Trinity, two of which were mentioned in November’s Clearwater Cyber Briefing.  

New Ransomware Threats 

While well-known ransomware groups have made headlines over the past year, new ransomware threats targeting healthcare continue to emerge.  

One relatively new threat actor is Embargo Ransomware, which uses a new class of endpoint detection and response (EDR) killer software, MS4Killer, and a loader, MDeployer. 

Among Embargo’s earliest healthcare victims are Memorial Hospital and Manor, an 80-bed hospital and 107-bed long-term care facility in Georgia. Threat actors were able to steal a terabyte of data, resulting in delayed patient care.  

Embargo also hit American Associated Pharmacies. To break from of the ransomware hold, American Associated reportedly paid the attackers $1.3 million to decrypt affected data. Even so, the threat isn’t over. Now, they’re facing another $1.3 million ransom demand to stop the group from exposing exfiltrated data.  

These numbers reflect a trend in ransomware payouts, which, on average, have increased five to six times previous payout amounts. 

Embargo’s Tactics, Techniques, and Procedures (TTPs) 

Embargo’s toolkit includes the loader, MDeployer and the EDR killer, MS4Killer. 

MDeployer allows threat actors to deploy MS4Killer. Once inside, they can abuse safe mode and attack vulnerable drivers to disable EDR security controls on an infected machine. These TTPs are customized for each targeted victim’s environment and security solutions. 

And, as we’ve seen with American Associated, they also use double extortion, requiring one payment for decryption and another to prevent them from publicly releasing stolen data.  

BlackBasta Ramps Up Attacks 

While Embargo is relatively new, another known threat group, Black Basta, has begun to escalate attacks targeting healthcare. 

On Nov. 8, CISA updated its cybersecurity advisory, “#Stop Ransomware: Black Basta,” releasing new TTPs and indicators of compromise (IoCs). 

Most recently, the group has combined email bombing (spamming) with social engineering attacks launched through MS Teams software.  

After spamming a victim’s email, the threat actor then initiates contact with the victim via Microsoft Teams, using the display name “Help Desk.” Less detectible to the average user, the name generally is surrounded by white space characters that forces the screen name to center within the chat.  

Posing as a help desk technician, the threat actors will then send a QR code or activate MS Quick Assist. From there, they can deploy the loader to launch the malware payload. 

More Phishing Campaigns 

True to threat actor form, other groups and individuals continue to use common phishing tactics to target healthcare. 

On Nov. 19, HC3 sent out a sector alert warning that cybercriminals are using DocuSign’s APIs to send fake invoices to users. They do so by first activating a paid DocuSign account. Once set up, they can alter templates and use APIs to send out fake invoices that appear real, such as a subscription renewal notice from a legitimate antivirus company. 

Once a user e-signs the document, the attackers can then request payment from accounts payable or finance departments. In some cases, they can even authorize payments directly from bank accounts.  

Other Noteworthy Healthcare Attacks 

The FBI says healthcare remains the most targeted industry for cyber-attacks. Some of these increased attacks now use newer techniques to avoid defenses and to increase the opportunity to exploit individuals with social engineering. 

In the past 30 days, some other notable healthcare attacks worth mentioning: 

• Everest, previously targeting specialty providers and physician practice management groups, is now heavily focused on dental clinics. 

• Targeted efforts against Value Dental Center, Asaro Dental Aesthetics, and Artistic Family Dental.  

• RansomHub attacked Medical Health Services and Northwest Porter Hospital but has been active outside of the U.S., targeting healthcare. 

• Blacksuit attacked Kapur and Associates, a healthcare consulting service, and have been targeting other consulting firms as well. 

• BianLian attacked Healthcare Management Services and Immuno Laboratories. 

• In September, Great Plains Regional Medical Center, a 62-bed not-for-profit hospital in Oklahoma, fell victim to a ransomware attack that encrypted files and exfiltrated sensitive data, some of which was not recoverable. Threat Actor unknown.  

• Watsonville (Calif.) Community Hospital reported an IT disruption on Nov. 29, forcing the hospital into downtime procedures. 

9 Ways to Protect Your Healthcare Organization from Recent Attack Vectors 

As healthcare organizations grapple with escalating complexities and potential impact of ransomware and other cyberattacks, HIPAA’s call for reasonable and appropriate data security and privacy controls may have never been more imperative. 

But, blindly choosing and implementing security controls isn’t the answer. Determining which security practices will work best for your healthcare organization will depend on a range of factors associated with your unique environment, business goals, and the current threat landscape, there are some best practices every healthcare organization can adopt to protect themselves from the potential devastating consequences of a ransomware attack. 

In light of recent TTPs and IoCs, consider: 

1. Restricting communication to trusted external users within Teams. This can prevent unwanted chat messages from reaching end users.
2. Enable Teams logging. 
3. Search Teams display names that contain “Help Desk.”  
4. Implement aggressive anti-spam policies within email security tools. 
5. Disable use of MS Quick Assist and AnyDesk. 
6. Update security awareness training to incorporate the latest social engineering TTPs. 
7. Ensure your monitoring, detection and response capabilities are sufficient (relative to the adversary). 
8. Remind users to double-check the sender’s email address and any associated accounts for legitimacy. Minor variances are easy to overlook. 
9. Implement strict internal procedures to approve purchases and financial transactions. When possible, involve multiple team members in these processes. 

Have questions or concerns about your organization’s cybersecurity resilience? We’re here to help. Reach out to us at info@clearwatersecurity.com for guidance.

Don’t forget to join our next Cyber Briefing on Thursday, Jan. 9th where we will again review the latest cybersecurity and regulatory developments impacting the healthcare industry. If you’re not already registered for our Monthly Cyber Briefing series, you can learn more and register here: Clearwater Monthly Cyber Briefing.

Take charge of your security – Stay ahead of threats, stay compliant, and stay protected with Clearwater.