On May 5, 2022, the U.S. Department of Health and Human Services (HHS) issued a report entitled “Ransomware Trends in the HPH Sector” (HHS Report) that reviewed key cybersecurity threats and trends affecting the U.S. healthcare sector.
Key takeaways from the HHS Report include:
- The five most active ransomware groups that are focusing on selling their Ransomware as a Service platform are Lockbit, Conti, SunCrypt, ALPHV/Blackcat and Hive.
- Certain ransomware groups are taking a political stance in the Russia- Ukraine conflict, including the ransomware gang Conti, which has openly sided with the Russian government.
- There has been a noticeable decrease in the time it takes for the malware launched by these gangs to infect a victim’s systems – specifically, ransomware attacks that previously took five days to fully infect a system now can take less than two days.
The HHS Report also discusses the troubling return to prominence of the use by malicious actors of the “Living off the Land” cyberattack (LOTL). LOTL attacks first were utilized with frequency in approximately 2013, and they involve threat actors who use system tools supplied by the host operating system – which are normally used for legitimate purposes – to help launch ransomware and other malicious cyberattacks. LOTL are considered “fileless” attacks and, because of the fact that they utilize tools from the host operating system, they are much more likely than a traditional malware attack to go undetected before doing substantial damage.
LOTL attacks focus on threat techniques that are not typically written to a hard drive. They focus on tools that stay in “volatile memory.” When data is written to a hard drive, it remains resident even after the computer or device is turned off. The specific data remains on the hard drive once the device is turned back on. Volatile memory, however, can only store data during the time when a device is powered and turned “on.” Once the device is powered off, the data stored in the volatile memory is generally lost and unrecoverable to the average user.
According to the HHS Report, malicious actors involved in perpetrating LOTL attacks are increasingly leveraging legitimate operating system tools during ransomware intrusions. The tools that are utilized include:
- Remote Access Tools
- Encryption Tools
- File Transfer Tools
- Microsoft Sysinternals Utilities
- Open-Source Tools
Many of the tools noted below that are used in LOTL attacks are organic to a Windows-based environment. These include:
- Task Scheduler
- Team Viewer
LOTL attacks subvert these internal tools and use them nefariously as they circumvent the victim network. The attacks are difficult to detect because the tools themselves are not malignant per se. They are developed by the software designer to help a user in the Windows environment. LOTL attacks are dangerous because the malicious actors who use them are finding ways to take these internal, seemingly benign, processes and use them as part of their attack matrix as they move around the victim system or network.
Threat actors benefit from LOTL attacks because the attacks are less likely to flag and alert endpoint detection tools. In addition, LOTL attacks provide better camouflage to threat actors, allowing them to blend in with normal administrative tasks while performing reconnaissance on the targeted systems.
The return to prominence of LOTL attacks is a potentially dangerous threat which businesses should consider and plan for when working on their overall cyber hygiene and cybersecurity defenses.