CYFIRMA Industry Report : HEALTHCARE

EXECUTIVE SUMMARY

The CYFIRMA Industry Report delivers original cybersecurity insights and telemetry-driven statistics of global industries, covering one sector each week for a quarter. This report focuses on the healthcare industry, presenting key trends and statistics in an engaging infographic format.

INTRODUCTION

Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the healthcare industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting the healthcare industry.
 
We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.

METHODOLOGY

CYFIRMA provides cyber threat intelligence and external threat landscape management platforms, DeCYFIR and DeTCT, which utilize artificial intelligence and machine learning to ingest and process relevant data, complemented by manual CTI research.
 
For the purpose of these reports, we leverage the following data from our platform. These are data processed by AI and ML automation based on both human research input and automated ingestions.

OBSERVED ATTACK CAMPAIGNS

• Leveraging our Early Warning platform data set, we present known attack campaigns conducted by known advanced persistent threat actors. Both nation-state and financially motivated.
• Each attack campaign may target multiple organizations across various countries.
• Campaign durations can vary from weeks to months or even years. They are sorted by the “last seen” date of activity to include the most relevant ones. Note that this may result in campaigns stacking up on later dates, affecting time-based trends.
• Attribution to specific threat actors can be murky due to increasingly overlapping TTPs and commodity tools used. While suspected threat actors in this report are attributed with high confidence, we acknowledge the potential for inaccuracy.

PHISHING

• Our data focuses on phishing campaigns rather than individual phishing or spear-phishing emails, which may limit visibility into more advanced single-target attacks.
• Our primary focus is on detecting brand impersonation over intended targets. Due to our collection methodology and automation, we may not present comprehensive victimology for phishing campaigns across all industries as some are simply not good phishing lures.

RANSOMWARE

• Our data on victims in this report is directly collected from respective ransomware blogs, though some blogs may lack detailed victim information beyond names or domains, impacting victimology accuracy during bulk data processing.
• In some cases, there are multiple companies that share the same name but are located in different countries, which may lead to discrepancies in geography and industry. Similar discrepancies occur with multinational organizations where we are not able to identify which branch in which country was actually compromised. In such a case, we count the country of the company’s HQ.
• During the training of our processing algorithms, we manually verified results for industry and geography statistics at an accuracy rate of 85% with a deviation of ±5%. We continuously fine-tune and update the process.
• Data related to counts of victims per ransomware group and respective dates are 100% accurate at the time of ingestion, as per their publishing on the respective group’s blog sites.
• Finally, we acknowledge that many victims are never listed as they are able to make a deal with the attackers to avoid being published on their blogs.

While this report contains statistics and graphs generated primarily by automation, it undergoes thorough review and enhancement for additional context by CYFIRMA CTI analysts to ensure the highest quality and provide valuable insights.

Advanced Persistent Threat Attack Campaigns
Healthcare organizations featured in 1 out of the 9 observed campaigns, which is a presence in 11% of campaigns.

Observed Campaigns per Month

The monthly chart shows a single observed campaign in August and underscores a significant drop in active campaigns since the spike observed in July.

Suspected Threat Actors

Stone Panda is a suspected threat actor behind the August attack campaign. Mission2025 is a nexus of Chinese APT activity, which overlaps with Stone Panda attributions.

GEOGRAPHICAL DISTRIBUTION
Europe is again taking the lead as the most attacked region. Our hypothesis is related to Russian linked threat actors, aiming at energy utilities in relation to war with Ukraine.

Victims of the same attack campaign were recorded in 11 different countries.

TOP ATTACKED TECHNOLOGY

The attack campaign focused on attacking application security software and web applications.

APT CAMPAIGNS EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: Low

 
Recent monthly activity has shown a notable decline, following a surge in the summer, attributed to threat actors from North Korea and China. Over the past 90 days, only nine new campaigns have been uncovered. Analysis of long-term data indicates a cyclical trend: the emergence of new Tactics, Techniques, and Procedures (TTPs) lead to an uptick in identified campaigns, followed by quieter periods. However, it’s presumed that threat actors remain active, potentially undergoing a temporary hiatus or utilizing yet undetected TTPs.
 
Regarding suspected threat actors targeting healthcare organizations, the single observed campaign has been attributed to Stone Panda – a Chinese nation-state APT. However, it’s reasonable to assume the ongoing activity of North Koreans and notorious ransomware-linked groups like FIN7, FIN11, and TA505.
 
Geographical impact insights are limited due to the observation of only one campaign. Yet, the long-term data from the previous 90-day report suggests a correlation with countries known for their healthcare industries, including the growing Indian healthcare industry, or lesser-known, yet significant Czech pharmaceutical manufacturing.
 
The primary technologies targeted among healthcare victims were application security software and web applications.

PHISHING ATTACKS IN THE HEALTHCARE INDUSTRY

Over the past 3 months, CYFIRMA’s telemetry recorded 77 phishing campaigns out of a total of 218,711 that involved the healthcare industry, which amounts to 0.03% of observed campaigns.

Since there are consistently little wider phishing attack campaigns impersonating the healthcare sector, it is not tracked as a category.

Global Distribution of Phishing Themes per Sector

Observed Campaigns Breakdown
Out of 77 observed campaigns, 60 were impersonations of French Health Insurance, which is also the only healthcare organization observed to be impersonated.

Experimental tagging of intended recipients showed the following phishing themes used against healthcare organizations.

PHISHING EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator : Low

The healthcare industry doesn’t seem to be an ideal phishing lure or a lucrative target. Its fragmented structure, including drug manufacturing or research and development, makes it unsuitable for widespread internet or nationwide phishing campaigns. Despite holding substantial personal information that could interest cybercriminals, this data is scattered across various patient records rather than centralized in a single database, unlike the financial industry.
 
As we saw in the data, the only impersonated organization that matched healthcare was French Health Insurance, which fits more into the financial industry than healthcare.
 
Additionally, targeting healthcare organizations attracts significant attention from law enforcement, a risk that many cybercriminals prefer to avoid. Lastly, some cybercriminals have ethical boundaries and refrain from attacks that directly harm people.

RANSOMWARE VICTIMOLOGY

In the past 90 days, CYFIRMA has identified 161 verified ransomware victims within the healthcare industry sectors. This accounts for 9.7% of the overall total of 1,766 ransomware incidents during the same period.

The Monthly Activity Chart

Monthly trends show consistent numbers across months with a significant spike in September.

Breakdown of Monthly Activity by Gangs

A breakdown of the monthly activity provides insights in per-group activity. For example, Cl0p gang recorded victims only in August, whereas LockBit3 has been consistently active, and ALPHV dominated in September and November.

Ransomware Victims in the Healthcare Industry per Group

In total 35 out 55 groups recorded healthcare organization victims in the past 90 days. The top 5 are responsible for half of them.

Comparison to All Ransomware Victims by Group (Top 25)

Compared to all recorded victims in the same time period we can clearly see ALPHV focusing on healthcare, with 26 out of 134 (19.4%) victims being healthcare organizations.

Geographic Distribution Of Victims

The heatmap of geographic distribution illustrates the global reach of ransomware across continents.

Total Victims per Country

In total 25 countries recorded healthcare industry ransomware victims with the US alone accounting for ~64% of all victims with identified geography.

Sectors Distribution

Listing all sectors matched under the healthcare industry umbrella shows victims across sectors, including many niches.

RANSOMWARE EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator : High

The healthcare industry stands out as one of the most targeted sectors, accounting for approximately 10% of all ransomware victims. Consistent monthly cyber activity reveals a substantial volume of attacks, notably peaking in September. A closer look at responsible groups highlights the Cl0p gang’s rampage in August, while ALPHV made a significant contribution to the spike in September. Concurrently, LockBit3, NoEscape, and 8Base have displayed sustained interest and a high number of victims over the past 90 days.
 
Analysis of victim counts per group indicates that large gangs are responsible for most of the healthcare industry victims with the top five accounting for half of them. Notably, ALPHV appears particularly focused on this sector, with approximately 20% of their victims over the last 90 days being healthcare organizations. Moreover, data shows high participation of mid to small-size gangs, with 35 out of 55 active groups recording victims in this industry.
 
Among the 129 victims with identified geographical locations spanning 25 different countries, the United States emerges as the most affected, recording 83 incidents, followed by Italy, Germany, and Brazil.
 
For a comprehensive, up-to-date global ransomware tracking report on a monthly basis, please refer to our new monthly “Tracking Ransomware” series here.

CONCLUSION

Within the healthcare industry’s cybersecurity landscape, ransomware remains a very high threat, with every one out of ten of all victims being healthcare organizations. Data shows 20% of ALPHV victims in the last 90 days being in this industry, suggesting high focus.
 
On the other hand, phishing campaigns present a low risk in this sector. The healthcare industry’s fragmented structure and the potential for law enforcement involvement serve as deterrents for cybercriminals, leading them to target sectors perceived as less risky and more profitable.
 
While recent months suggest a decline in APT campaign activity, signaling a potential pause in known tactics, interest from Chinese APTs persists. Financially motivated threat actors, especially those linked with major ransomware groups like FIN7, FIN11, and TA505, remain significant concerns in this industry.