ClearDATA’s Healthcare Threat Advisory – Evil Corp
American healthcare organizations are frequent targets of cyberattacks – and as we have discussed in a previous article on Russian State-Sponsored Cyber Aggression – increasingly sophisticated attackers are committing these cybercrimes. Although hacktivists and lone wolf hackers still pose risks, a growing number of threats have been observed originating from highly organized multinational groups with significant resources at their disposal. Our intention in this article is to apprise the healthcare industry of such potentially imminent cyberattacks – and how you can defend against them.
In a recent brief, the HHS Health Sector Cybersecurity Coordination Council (HC3) advised the American healthcare industry to prepare for heightened aggression by notable Russian cybercriminal syndicate “Evil Corp”.
Evil Corp Background
Evil Corp is the current iteration of the group first known as Indrik Spider, which has been active since as early as 2014. Evil Corp is reportedly led by Russian national and noted cybercriminal, Maksim Yakubets. Yakubets has been associated with a variety of ransomware gangs by the FBI and was attributed as the primary creator of the “Dridex” banking trojan, which stole over $100 million USD from financial institutions.
According to HC3, Evil Corp continues to represent a significant threat to the American healthcare industry because of their historical targeting of the industry and their extensive use of ransomware. Because the American healthcare industry is especially prone to ransomware threats – largely due to the fact that patient PHI can be sold for up to $1000 per record to malicious actors – healthcare companies need to monitor potential emergent threats from Evil Corp with a vigilant eye. In addition, HC3 has advised, “It is entirely plausible that Evil Corp could be tasked with acquiring intellectual property from the U.S. health sector using such means at the behest of the Russian government.”
Evil Corp Threat Patterns
One of the defining characteristics of Evil Corp is its ability to be highly scalable and adaptable to the different environments that it is deployed against. Some of the primary identifying tactics, techniques, and procedures (TTPs) for Evil Corp are seen with the techniques used during the initial access period: access token impersonation/theft, web protocols, phishing, and exploiting vulnerabilities via web applications.
Evil Corp has utilized a variety of ransomware that include Dridex, Zeus, Bitpaymer, WastedLocker, Hades, and PhoenixLocker.
- Dridex: Dridex malware initially developed as one of the most ubiquitous financial trojans. It has evolved into a powerful general purpose information stealer which has dynamic command and control capabilities, backdoor tactics and other post-exploitation functionality including dropping additional malware. Dridex was previously known as Bugat.
- Zeus: Zeus is one of the oldest banking trojans, active as early as 2007 (some report as early as 2005). Due to its source code having leaked in 2011, several variants have since been developed which have seen its sophistication improve. Original versions of Zeus can be prevented by any number of signature-based detection technologies; however, the code continues to be publicly available and new variants continue to be developed.
- Bitpaymer: Bitpaymer, also known as Doppelpaymer and FriedEx is a ransomware that was developed by Evil Corp and has been known to be often dropped by Dridex and in operations since 2017. It has code similarities with Dridex.
ClearDATA’s own Cyber Threat Intelligence Unit, comprised of cybersecurity professionals with significant red-team expertise, assess the likelihood of a potential threat with medium to high confidence.
Although we cannot state with certainty that these attacks are being committed under the direction of the Russian government, it stands to reason that the financial motivations of a successful ransomware attack would encourage groups such as Evil Corp to target American healthcare companies. In addition to theft of lucrative healthcare intellectual property, the extraction of immutable and highly sensitive patient PHI data that can be leveraged against the American population is a likely threat vector for an adversarial nation-state like Russia. Not only can they collect data on American healthcare patients to inform potential threats against American interests, but this data can also be sold for significant financial gain.
Defending Against Cyber Threats
Evil Corp attacks vulnerable entities through myriad threat patterns, often modifying their tactics, techniques, and procedures (TTPs) to adapt to environment-specific opportunities and avoid attribution. As a result, it is difficult to distill an exhaustive list of defenses against these potential cyber threats into a single article. However, here are the immediate actionable defenses your HCO can implement to protect against impending cyber threats.
Short Term Actions:
- Examine your networks and update firewall configurations with the latest guidance from CISA, the FBI, and your firewall vendor.
- Consult your data maps and fortify systems that transmit, store, or process sensitive data.
- Regularly scan your assets and patch vulnerable systems.
- If you’re running unnecessary assets, shut them down.
- Rotate passwords for all users and where possible, service accounts and keys.
- Make sure you implement multi-factor authentication – ASAP.
- Make sure your data and your applications are backed up and in a safe location (away from your production systems).
- Share with your workforce how to identify threats, including avoiding phishing attacks and malware.
- Eliminate the use of end-of-life systems that no longer have manufacturer support.
- Use hardened compute images devoid of unnecessary open ports, services, and software.
- Hire more cybersecurity talent or find a great partner to help in this area.
Proactive Defense – Now and Into the Future
ClearDATA is the leading public healthcare cloud security partner. With hundreds of healthcare clients in the United States, we have the expertise and visibility to help your HCO remain safe from potential cyber threats. Reach out to our team today for a second opinion on how you’re currently securing your IT infrastructure, or for help protecting against the next wave of threats.