Access Management , Business Continuity Management / Disaster Recovery , Critical Infrastructure Security

HHS Warns Healthcare Sector of Pysa Ransomware Threats

Alert Comes as Health Entities Globally Continue Battling Cyberattacks, Fallout
HHS Warns Healthcare Sector of Pysa Ransomware Threats

U.S. government authorities are warning healthcare sector entities of rising threats involving Pysa ransomware and the cybercriminal gang Mespinoza - also known as Gold Burlap and Cyborg Spider - which operates the malware variant.

See Also: Every Second Counts: 6-Step Ransomware Remediation Guide

In an alert, the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center, or HC3, warns that since 2018 the cybercrime group Mespinoza has had a history of targeting many industries, including healthcare, and continues to develop its capabilities and increase its targeting frequency.

"Pysa is used to target industries like education, utilities, transportation, construction, business services and, most notably, the healthcare and public health sector," HC3 writes.

"Although the Pysa variant has only been known to be operating since December 2019, it quickly became one of the more prolific threats against healthcare," HC3 says.

"In 2020, it was one of the top ten ransomware variants used to target healthcare … beating out many other well-known variants such as Clop, LockBit, Nemty, RagnarLocker, Avaddon, MountLocker and SunCrypt."

Aggressive Group

HC3 notes that the Geneva, Switzerland-based Cyber Peace Institute, an independent nongovernmental organization, found that Pysa was one of the most aggressive among all ransomware groups in targeting healthcare over the last two years.

"Furthermore, they noted that unlike some cybercriminal groups who made public promises to refrain from targeting healthcare during the pandemic or others who simply didn’t make any statement, Pysa threatened healthcare specifically and then followed through with those promises," HC3 says.

Mespinoza operates a leak site called Pysa’s Partners, which it uses to leverage "name and shame" tactics to apply additional pressure to compel victims to pay ransoms, HC3 says.

Also, unlike many other cybercrime groups of late, Mespinoza is not known to operate as ransomware as a service, HC3 says. The top five countries targeted by Pysa ransomware attackers are the U.S., the U.K., Canada, Spain and Brazil.

"Mespinoza is likely a closed RaaS and targets indiscriminately," says Brett Callow, a threat analyst at security vendor Emsisoft.

"Some of the postings on their leak site are quite juvenile, perhaps indicating that the people behind the operation are on the younger side," he says.

Among healthcare organizations appearing on the Pysa leak website following ransomware attacks over the last year or two were the Las Vegas Cancer Center and Assured Imaging, according to Callow. "[Mespinoza's] other victims include local governments, schools, charities and hospices," he says.

Other Incidents

The HC3 alert about Pysa ransomware threats comes as healthcare sector entities in the U.S. continue to deal with an assortment of ransomware and other cyberattacks, including the fallout of incidents that occurred near the end of 2021.

For instance, the Maryland Department of Health on Monday still had not yet fully recovered from a cyberattack detected on Dec. 4. The department has not publicly said whether the incident involved ransomware (see: Maryland Health Department Systems Still Affected by Incident).

On its website Monday, the state's health department said approximately 95% of state-level surveillance data has been restored since the incident. "MDH continues to work to reinstate the full COVID-19 dataset.

The Washington Post on Friday reported that Maryland state health workers still often cannot use their computers, access shared drives and obtain important health data following the December attack.

Maryland Department of Health Statement

The Maryland Department of Health in a statement provided to Information Security Media Group on Monday said the organization is continuing in its recovery efforts.

"Restoring network systems remains a priority for MDH and over the past week, work has continued in this area. Our teams and partners have been working nearly around the clock to ensure that systems supporting health and human safety functions are prioritized for assessment and restoration," the statement says.

"It is important to note that our methodical approach to restoration means that each MDH system that was taken offline must first be assessed before it can be restored or brought back online. This assessment process is critical for protecting the integrity of MDH’s systems and the data they maintain. The criminal investigation into this incident is ongoing. Again, our investigation has found no evidence that confirms data was accessed or acquired as a result of this incident."

In recent days, the Maryland Board of Nursing resumed online licensure and license lookups via its website, the statement says.

"MDH continues to thoroughly assess critical systems involved in the security incident and is identifying processes needed to support restoration. This is a time-consuming process as the incident affected multiple network infrastructure systems. MDH continues to work with law enforcement as well as other federal and state agencies to facilitate the inter-agency response efforts."

The Maryland Department of Health did not immediately respond to ISMG's request for additional details about the incident, including whether it involved ransomware.

"Recovering from a ransomware attack can be complex and very time-consuming - more so than organizations sometimes realize," Callow says. "It’s absolutely critical that recovery and continuity be periodically tested, with the aim of minimizing downtime and disruption."

Global Threats

Meanwhile, it is not just U.S-based healthcare sector entities that are battling ransomware and other major cyberattacks. The Bangkok Post on Monday reported that about 39 million purported patient records from Siriraj Hospital have been offered for sale on an internet database-sharing forum in what appears to be the latest cyberattack on the country's public health sector.

Also, the Indonesian Health Ministry reportedly said last week that it is investigating an alleged data breach involving one of its centralized servers and reports of potentially 6 million stolen patient records for sale on the dark web.

Taking Action

There are critical steps that healthcare sector entities, including supply chain partners, can take to defend against becoming the next ransomware victim, says Curt Miller, executive director for the Healthcare Supply Chain Association's Committee on Healthcare eStandards.

He says employee training and managing credentials are critical that the IT team needs to make sure it uses network segmentation and whitelisting with zero trust to the greatest extent possible, to reduce the potential risk of access by threat actors.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.