An IBM X-Force report has revealed that the amount of healthcare cyberattacks doubled in 2020 with 28% of attacks including an element of ransomware. The huge rise in healthcare sector cyberattacks resulted in the sector jumping from last place to 7th spot, with the finance and insurance sector the most heavily focused on, ahead of manufacturing, energy, retail, professional services, and government in that order. Healthcare made up 6.6% of cyberattacks across all industry sectors in 2020.
The 2021 X-Force Threat Intelligence Index report was put together using from monitoring data from more than 130 countries and incorporated data from more than 150 billion security events a day, with the data gathered from multiple sources such as the IBM Security X-Force Threat Intelligence and Incident Response, X-Force Red, IBM Managed Security Services, and external sources including Intezer and Quad9.
The most common way networks were illegally accessed was via the exploitation of weaknesses in operating systems, software, and hardware, which made up 35% of all attacks up from 30% in 2019. This was just ahead of phishing attacks, which were the starting point in 33% of attacks, up from 31% in 2019.
2020 was the first year since IBM X-Force began releasing its annual threat index reports that the exploitation of flaws was more common than phishing as the initial attack vector, which was largely a result of the worldwide move to a distributed workforce in response to the pandemic.
Around 1 in 5 cyberattacks in 2020 included the exploitation of flaws in Citrix servers, which were implemented to support remote workforces. Out of all attacks involving the exploitation of Citrix flaws, healthcare placed third with 17% of all attacks. Credential theft-linked attacks secured third place in the initial attack vector list and were responsible for 18% of attacks, down from 29% in 2019.
In healthcare particularly, ransomware attacks increased massively. In total, 23% of security events in 2020 included ransomware, up from 20% in 2019. 28% of all cyberattacks on the healthcare sector included ransomware. These attacks often included data theft before file encryption to pressure victims into paying the ransom to prevent the exposure or sale of stolen data. 59% of ransomware attacks in 2020 included the use of this double-extortion tactic.
Sodinokibi was implemented in 22% of all ransomware attacks. The experts calculated that the Sodinokibi gang resulted in $123m in ransom payments in 2020. Other highly active ransomware operations were RagnarLocker, Netwalker, Maze, and Ryuk, which each had a share of 7% of the attacks.
Ransomware was the main attack vector, followed by data theft, and server access. Data theft increased 160% year-over-year, with a large proportion of the attacks due to the Emotet Trojan. Server access increased 233% in the past 12 months, mostly involving the exploitation of vulnerabilities and the use of stolen credentials. Remote Access Trojan (RAT) attacks had a notable increase from 2% of attacks in 2019 to 6% in 2020. Business email compromise attacks decreased in 2020, falling from 14% of attacks in 2019 to 9% in 2020. Insider breaches fell from 6% to 5% of attacks, with misconfigurations unchanged, accounting for 5% of attacks.
The second and third most common types of healthcare cyberattacks were server access and BEC attacks, each makign up 18% of attacks in 2020. Data theft, insider incidents, and misconfigurations accounted made up 9% of attacks each.
The growth in healthcare sector cyberattacks was mainly due to the industry being heavily focused on by ransomware gangs and threat actors targeting COVID-19-related research groups. It could have been far more troublesome for the healthcare sector. Security experts identified that the Ryuk ransomware gang was planning a targeted campaign in October that would have seen 400 hospitals have their databases infiltrated. Luckily, attempts by cybersecurity firms and law enforcement agencies kept the levels of attack down to nine out of the 400 hospitals.