Feds Warn of Evil Corp Threats Facing Healthcare SectorHHS HC3: Russian Cybercrime Gang Has History, Powerful Malware, Ties to Other Gangs
Federal authorities are sounding the alarm for the healthcare industry over Russian cybercrime gang Evil Corp, warning that the group has a wide set of highly capable tools at its disposal for taking healthcare data hostage.
The Department of Health and Human Services' Health Sector Cybersecurity Coordination Center in a threat advisory warns the healthcare sector that the gang, best known for developing Dridex malware, "has been exceptionally aggressive and capable in their more than decade of global hacking operations."
The Department of the Treasury sanctioned the group, also known as UNC2165, along with Gold Drake and Indrik Spider in 2019. The Department of State offers a $5 million bounty for information leading to the arrest and conviction of the gang's leader, Maksim Yakubets. Speculation exists that the group is a front organization for Russian intelligence, but it indisputably has stolen large sums of money since starting operations in 2009 - at least $100 million, according to government estimates.
A Pennsylvania federal grand jury indicted Yakubets in 2019 (see: Two Russians Indicted Over $100M Dridex Malware Thefts).
Many Evil Corp-related groups and malware variants have targeted the health sector aggressively. "Ransomware is one of their primary modus operandis as they have developed and maintained many strains," HHS HC3 writes. Many ransomware operators have found the health sector to be an enticing target since medical practitioners often prefer paying a ransom over disrupting patient care.
Healthcare sector organizations are also particularly susceptible to patient data theft for sale by cybercriminals on the dark web, HHS HC3 says.
Also, "foreign governments often find it to be more cost-effective to steal research and intellectual property via data exfiltration cyberattacks rather than invest time and money into conducting research themselves. This includes intellectual property related to the health sector."
"It is entirely plausible that Evil Corp could be tasked with acquiring intellectual property from the U.S. health sector using such means at the behest of the Russian government," the advisory says.
Cybercriminal groups like Evil Corp have become only more potentially dangerous in the months since Russia's invasion of Ukraine, says Adam Flatley, director of threat intelligence at security firm Redacted.
"They are more serious because Russia may choose to use these groups as a way to attack the West without direct attribution to the Russian government as a punishment for Western sanctions tied to the war," he says. They are also harder to combat because Russia is willfully sheltering these cybercriminals and without a willing law enforcement partner, the most common effective options for dealing with these groups are off the table, he says.
In addition to its in-house-coded Dridex multipurpose malware, Evil Corp also has access to prolific malware variants such as Trickbot and Emotet, as well as major ransomware operations such as Ryuk.
One of Evil Corp.'s most notable healthcare sector attacks was a ransomware assault on NHS Lanarkshire - part of Britain's National Health Service - which affected several Scottish hospitals in 2017, HHS HC3 says (see: Scottish Hospitals Hit by Bitpaymer Ransomware).
Varied TTPs, Mitigations
Because Evil Corp has operated a number of prominent malware and ransomware variants, the tactics, techniques and procedures it leverages are extensive, HHS HC3 says.
"They have a wide variety of technical capabilities due to both their in-house capabilities as well as the relationships they have with other cybercriminal groups," HHS HC3 says. Evil Corp operators often leverage phishing as well as the use of legitimate security tools and "living off the land" techniques, the advisory says.
Also, because the group's tactics and techniques vary widely, so does the full list of recommended defense and mitigation steps, the alert says.
Nonetheless, HHS HC3 refers to an alert from the Cybersecurity and Infrastructure Security Agency containing mitigations against Dridex that recommends entities take steps such as:
- Ensuring systems are set by default to prevent execution of macros;
- Updating intrusion detection and prevention systems frequently to ensure the latest variants of malware and downloaders are included;
- Conducting regular backup of data;
- Maintaining up-to-date antivirus signatures and engines and keeping operating system patches up to date;
- Disabling file- and printer-sharing services when possible, as well as unnecessary services on agency workstations and servers.