Over the last five years, there has been a massive increase in malware threats. According to AV Test, (1) in 2016 to date we have already seen over 550 million cases. Ransomware attacks, specifically encryption-based ransomware variants, are up five-fold in the first three months of 2016 compared to the previous year, with over 2.3 million victims according to Kasperksy Labs. (2) With the increase in ransomware attacks comes an increase in the price of the ransom. The average has tripled since the end of 2015 to $649. (3) All of this indicates that a very successful method for committing cybercrime has been established. The problem of ransomware clearly appears to be one that is likely to become much worse before it gets better.

Although ransomware affects and is targeted at all types and sizes of organizations, cybercriminals have been setting their sights on the healthcare sector in particular. An Osterman Research report, which was published this August and looked at ransomware, found that 39% of organisations had experienced a ransomware attack, with the most commonly attacked sector being healthcare.(4)

This year crypto-ransomware attacks against the healthcare industry have become a significant issue with several high-profile attacks. Ransoms have been in the multiple thousands of dollars and have caused widespread disruption to normal hospital operations, affecting hundreds of thousands, if not millions, of patients.

How Ransomware is Impacting Healthcare

Healthcare is a prime target for crypto-ransomware. In the UK, a Freedom of Information Act request by the NCC Group revealed that 47% of NHS Trusts have been victims of a ransomware attack, including the East and North Herts NHS Trust, which suffered two successful attacks of the ransomware variant ‘Cryptolocker’, most often installed via an infected website. (5) In the US, the situation is much the same as in the UK with at least 50%, and possibly up to 75%, of hospitals having been victims of ransomware attacks. (6) Most of these attacks have been based on crypto-ransomware. In the US, the crypto-variant, ‘Locky’, known for the ‘.locky’ extension added to the encrypted file, was responsible for a spike in ransomware infections across the healthcare sector in 2016.

Anatomy of a Locky Infection

Ransomware infections use a number of social engineering-based techniques to identify effective attack vectors. According to the PhishMe’s Q1 phishing review, 93% of phishing emails are now focused on installing ransomware. (7) Emails equipped with ransomware come in the form of either a malicious email attachment or a link to an infected website. However, there is an alternative to using emails for the delivery of ransomware known as ‘malvertising’. This method uses infected, but legitimate, website ads and videos to initiate an infection, often using redirection to an exploit kit. In most cases, the malware infection is abetted by existing software flaws or zero-day vulnerabilities.

In the case of the recent spike in Locky infections in the healthcare sector, the vectors of choice were email attachments, or more specifically Microsoft Word Macro files with the .docm extension. Often the macro will be based on a Visual Basic script, which is the malicious component used to install the malware. It is worth noting, however, that a JavaScript file variant is also common. If the email recipient opens the document, the following cycle of events leading up to the infection unfolds:

  1. The document will open, stating something like “Warning: Macros Have been Disabled, Enable to Continue Editing”.
  2. A user would then ‘enable macros’, using the ‘Options’ button – it is this Options button that starts the execution process.
  3. This then initiates the updating of certain registry keys on the machine.
  4. A response with system information is sent to a hacker Command and Control centre (C&C) – this allows the C&C and the affected machine to share the encryption key.
  5. The key is used to encrypt the files on the compromised machine and any accessible linked drives, using the AES-128 algorithm.
  6. At the same time, Windows OS backup copies are deleted to prevent recovery.
  7. Once encryption is completed, an on screen pop-up message, or a wallpaper update, will appear with instructions relating to the ransomware payment (usually in bitcoin).
  8. The ransomware then deletes itself (you hope).
  9. If you pay, you hopefully will then receive the encryption key and a decryption tool allowing to decrypt the files.

Note, other ransomware variants such as the Zepto virus are also being transmitted using a malicious Word document macro and are being seen increasingly in the healthcare industry.

Why is Healthcare a Target?

The reason that cybercriminals are targeting the healthcare sector is because it is a strongly data-dependent industry, and it is also seen as a ‘soft target’. Healthcare requires timely access to sensitive data to ensure the best possible care for patients. Moreover, it is a highly regulated industry, which must be compliant with information security legislation like the Data Protection Act (DPA) in the UK or the Health Insurance Portability and Accountability Act (HIPPA) in the US. Hospitals are thus put in an impossible position when patients’ health is being put at risk by ransomware, compromising access to their data. Paying the ransom is often the only option available to achieve immediate remediation of a serious situation.

Preventing Ransomware Infection

In healthcare, as in other sectors, three simple actions can help prevent ransomware infections:

  1. Ensure that all staff are security conscious – this includes being able to identify phishing emails.
  2. Backup essential data on a very regular basis and have a robust recovery strategy in place.
  3. Make sure your software is always up to date – ransomware takes advantage of software flaws, exploiting them to breach your system.


The healthcare industry is highly vulnerable to ransomware attacks, as evidenced by hackers’ focus on this sector. It is unlikely that this lucrative crime will go away any time soon, especially now that new business models such as ‘Ransomware as a Service’ (RaaS) have emerged, making infection kits widely available and easier to use. Paying the ransom provides no guarantee that data will be decrypted, and no guarantee that other malware isn’t installed, waiting to exfiltrate data via the C&C. So the only viable solution to address this problem in the healthcare industry is prevention.


(1)  AV Test Malware Statistics: https://www.av-test.org/en/statistics/malware/
(2)  Symantec, Ransomware and Business 2016: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/ISTR2016_Ransomware_and_Businesses.pdf

(3)  Kaspersky Labs, Virus News: http://www.kaspersky.co.uk/about/news/virus/2016/Crypto-ransomware-attacks-rise-five-fold-to-hit-718-thousand-users-in-one-year

(4)  Osterman Research, “Understanding the Depth of the Global Ransomware Problem” August 2016: https://www.malwarebytes.com/surveys/ransomware/?aliId=13242065
(5)  NCC Group, Freedom of Information Request:  https://www.nccgroup.trust/uk/about-us/newsroom-and-events/press-releases/2016/august/47-of-nhs-trusts-in-england-admit-to-falling-victim-to-ransomware/
(6)  FireEye, Locky Ransomware Distribution August 2016: https://www.fireeye.com/blog/threat-research/2016/08/locky_ransomwaredis.html
(7)  PhishMe, Q1 2016 Malware Review: http://phishme.com/project/phishme-q1-2016-malware-review/

Please follow and like us: