Ransomware is back, healthcare sector most targeted
In Q2 2022, Kroll observed a 90% increase in the number of healthcare organizations targeted in comparison with Q1 2022, dropping the final nail in the coffin for the “truce” some criminal groups instituted earlier in the COVID-19 pandemic. Ransomware helped to fuel this uptick against healthcare as attacks increased this quarter to once again became the top threat, followed closely by email compromise.
While phishing continued to be the vector used for initial access, there was a vast increase in external remote services (such as VPNs and RDP environments) being compromised, up 700%. This indicates a growing vulnerability in the remote environments many of us now rely on.
Key findings
- 90% increase in number of healthcare organizations targeted compared to Q1, 2022
- Ransomware incident most likely to begin by an external remote service being compromised in Q2
- External remote services as an initial access method for attackers was up 800%, and CVEs were exploited 70% more for initial access in Q2
- Conti was associated with only 18% of attacks in Q2 compared with 20% in Q1 and 35% in Q4, while Black Basta rose from 0 to 13% of all incidents in this quarter alone.
Laurie Iacono, Associate Managing Director for Cyber Risk at Kroll said: “It is concerning to see healthcare rise so dramatically up the most targeted industry list, at a time when services are undoubtedly still under pressure as they recover from the strained environment caused by COVID-19. Ransomware is always disruptive, but its ability to grind company operations to a halt, becomes more significant in an environment where business continuity means saving lives.
“The legacy of the pandemic can perhaps also be seen in the vulnerability of external remote services. In Q2, we saw many ransomware groups take advantage of remote environments by using security gaps in those tools to compromise networks. All organizations – and especially those in healthcare – would do well to test the resilience of their external remote services and preparedness for ransomware in light of this latest report.”