Everest, a Russian-speaking ransomware group, has targeted entities like NASA and the Brazilian government. Now, they're focusing on the healthcare sector, leaving medical institutions struggling with the aftermath of their attacks.
What happened
The Everest ransomware group has been steadily increasing its focus on the healthcare industry since 2021, according to a recent bulletin by the Health Sector Cybersecurity Coordination Center (HC3) at the U.S. Department of Health and Human Services (HHS). The group is known for its sophisticated tactics, which include using legitimate cybersecurity tools like Cobalt Strike to facilitate their malicious activities.
Going deeper
According to the HC3 report, Everest has been responsible for at least 20 health sector incidents from April 2021 to July 2024, with medical imaging providers being among their primary targets. The group's ransomware attacks have resulted in disruptions to patient care, financial damages, and reputational harm that can take years to overcome.
One of Everest's most recent high-profile targets was a New York-based surgery center with an annual revenue of $17 million. The attackers claimed to have exfiltrated more than 450 GB of data, including details about the center's physicians and patients, including personal and medical records. The Everest group gave the victim 24 hours to initiate negotiations, threatening to publicly disclose the stolen data if their demands were not met.
What was said
The American Hospital Association's national advisor for cybersecurity and risk, John Riggi, has warned healthcare organizations to be vigilant against the Everest group's tactics. He has advised them to set network monitoring tools to alert for Cobalt Strike activations and implement the recommended mitigations included in the HC3 threat actor profile.
The FBI has also provided specific recommendations for healthcare organizations to counter the threat of ransomware attacks, such as thoroughly reviewing their cybersecurity infrastructure, employee training procedures, and incident response plans. These measures include maintaining appropriate credentials and passwords, using two-factor authentication, staying up-to-date on data backups, and disabling unused remote access/RDP ports.
Why it matters
The Everest ransomware group's targeted attacks on healthcare aren't just another cybersecurity issue—they're a direct threat to the lifeline of medical institutions. These attacks can halt surgeries, compromise patient records, and expose sensitive data to public scrutiny, with consequences that extend far beyond financial loss. Healthcare providers must act swiftly to strengthen their defenses, recognizing that the stakes involve both the safety of patients and the operational viability of their facilities. The lessons from Everest's tactics are clear: without advanced and vigilant cybersecurity, the very core of patient care is at risk.
FAQs
What is ransomware?
Ransomware is malware that holds a victim's data hostage by encrypting it or restricting access to the system. The attackers then demand a ransom in exchange for the decryption key or the restoration of system access.
What can organizations do to protect themselves from ransomware attacks?
Experts recommend a multi-layered approach to ransomware defense, including people-focused initiatives, advanced processes, and the deployment of the latest security technologies. Proactive measures to prevent initial access and minimize attack surfaces are necessary in the fight against these threats.
How can the cybersecurity community respond to the growing ransomware crisis?
Collaboration, information sharing, and the development of new defensive strategies will be fundamental in the ongoing battle against ransomware. Governments, security vendors, and organizations must work together to stay ahead of the constantly changing tactics employed by cybercriminal groups.
Farah Amod
