Arete: Revolutionizing Cyber Risk Management and Incident Response

Arete, working on the front lines of thousands of ransomware attacks and some of the largest nation-state attacks, their team combines hundreds of investigative, technical, and cyber risk management practitioners with best-in-class data and software engineers. They bring a relentless passion for innovation and a commitment to stopping cybercrime, bringing that same passion to positively impact the collective defense of businesses, governments, and infrastructure from cyber criminals and give back to the communities they serve.

Mr Raj Sivaraju is a partner and leads Arete's business in the APAC region with responsibility for setting up and driving long- and short-term goals, defining and managing budgets, and overseeing workforce planning, technology management, operations, and business development activities. Mr Raj brings over 29 years of experience establishing and leading global delivery with large teams, and today, he mentors startup CEOs across multiple industries. Raj holds an MBA from Delhi University.

What factors make healthcare organizations more susceptible to being targeted by ransomware groups?

Several factors contribute to healthcare organizations becoming more susceptible targets for ransomware groups. Firstly, these organizations store sensitive and valuable data, including personally identifiable information (PII), protected health information (PHI), and patient records. Data such as this can be sold on the black market or used for identity theft, making healthcare organizations attractive targets for ransomware attacks.

Secondly, many healthcare organizations need more cybersecurity measures. This deficiency leaves them with weak defenses, making them more vulnerable to data breaches by ransomware groups. Inadequate network security, outdated software, weak passwords, and limited employee training in cybersecurity best practices contribute to the heightened risk.

Moreover, healthcare organizations often face IT resource limitations. Their budgets and allocated resources for IT infrastructure and cybersecurity are typically smaller than those of other sectors. This can lead to outdated systems, delays in applying security patches, and inadequate staffing to address cybersecurity threats effectively.

Additionally, healthcare organizations must adhere to various regulatory standards, like the Health Insurance Portability and Accountability Act (HIPAA) in the United States. The emphasis on compliance can divert attention and resources from implementing comprehensive cybersecurity measures, making these organizations more susceptible to attacks.

Lastly, healthcare operations' urgency and critical nature make ransomware attacks particularly damaging. In healthcare settings, such attacks can have immediate and critical consequences, disrupting patient care and potentially causing harm or loss of life. Threat actors exploit this urgency to pressure organizations to pay the ransom.

Are there any specific vulnerabilities or weaknesses in the healthcare sector that make it an attractive target for ransomware attacks?

The healthcare sector possesses specific vulnerabilities and weaknesses. For instance, its reliance on legacy systems and outdated medical devices often runs on unsupported software with unpatched vulnerabilities. These factors heighten susceptibility to ransomware attacks. Moreover, the sector's diverse range of employees with varying technical expertise can lead to human errors. Falling victim to phishing emails or clicking on malicious links can introduce ransomware into the organization's network.

Additionally, the healthcare sector operates within a complex ecosystem involving interconnected systems like electronic health records (EHRs), medical devices, and third-party vendors. This intricate network expands the attack surface, providing ransomware groups with multiple entry points to exploit.

The critical nature of healthcare operations further increases the allure of ransomware attacks. Healthcare organizations require uninterrupted access to patient data and systems for essential care delivery. Threat actors capitalize on this dependence and may threaten to disrupt operations or compromise patient safety, raising the likelihood of payment.

What are the current trending ransomware strains affecting the healthcare sector in India?

Some prominent ransomware strains affecting healthcare organizations globally include Ryuk, Maze, REvil, and Conti. These threat actors demand substantial ransoms for decryption keys, placing healthcare institutions in a dilemma between paying the ransom and risking the loss of critical patient data and operational disruptions. Moreover, certain ransomware strains, like Maze, employ the "double extortion" tactic, threatening to leak sensitive information to increase pressure on the affected organizations.

What is the effectiveness of having an EDR (Endpoint Detection and Response) platform in decreasing the likelihood of payment in the healthcare sector?

Organizations with an EDR platform generally pay a lower percentage of the demanded ransom and are less likely to pay than those without EDR. Specifically, these organizations pay around 30.5% of the demanded ransom and have a 52.2% likelihood of paying. By detecting and responding to threats at the endpoint level, an EDR platform can help identify and mitigate ransomware attacks before extensive damage occurs, minimizing the necessity for payment.

Can you provide details on the specific characteristics and techniques of these trending ransomware strains in the Indian healthcare sector?

Ransomware strains employ a range of techniques to infiltrate systems and encrypt data. Common characteristics and methods observed in ransomware attacks include social engineering, phishing emails, malicious attachments or links, exploiting remote desktop protocol (RDP) vulnerabilities, and exploiting compromised or weak credentials.

The initial access technique holds significant importance for Arete's incident response team, as the success of subsequent actions depends on the threat actors' ability to introduce malware into the victim's environment effectively. Phishing is the most prevalent method for introducing ransomware into healthcare organizations, accounting for 50.5% of cases. Other primary methods for initial access, such as valid accounts, drive-by compromise, external remote services, and media replication, are less frequently utilized, ranging from 14.1% to 33.3% of cases.

How have healthcare organizations in India responded to the recent surge in ransomware attacks?

Many healthcare institutions are investing in enhancing their cybersecurity infrastructure in response to the growing threat. They are adopting advanced threat detection systems, firewalls, and encryption technologies to safeguard sensitive patient data and critical systems from ransomware attacks. Additionally, healthcare organizations are developing comprehensive incident response plans to handle ransomware incidents effectively. These plans outline steps during an attack, including isolating infected systems, data restoration processes, and communication protocols.

Furthermore, regular and secure backups of critical data are now a priority, ensuring quick data recovery without succumbing to ransom demands. This proactive approach aims to minimize disruption and protect patient care while reducing the potential financial impact of ransomware attacks.