In a recent Cybercrime Tactics and Techniques Report focusing on the health care industry, cybersecurity company Malwarebytes discovered a significant 82% spike in Trojan malware attacks on health care organizations in Q3 2019. Emotet and TrickBot, two especially sophisticated and dangerous forms of malware, were mostly responsible for this surge.

Used primarily as ’banking Trojans” to steal credentials and financial information, these intrusive, fast-replicating Trojans spread quickly. Emotet is polymorphic, which makes it difficult for traditional antivirus solutions to detect.  It worms its way through a network, generally using phishing emails from compromised systems to spread as quickly as possible. Once it’s infected enough computers, it will “drop” (install) other malicious programs, especially TrickBot, which has all sorts of modular, built-in tools to discover system information, compromise that system and steal data.

The presence of either of these Trojans on a network is a serious threat. Both of these Trojans are closely related; where you see one, you often see the other. To help visualize how they work, think about them like a team of professional robbers:

• Emotet is the ‘strike team’ hired to get Trickbot through as many doors as possible, by exploiting vulnerabilities or by stealing keys
• Trickbot is the professional ‘safe-cracking team’ the Emotet strike team gets in the door
• Trickbot might install ransomware to collect a ransom, or maybe just cover their tracks when they’re done. When it installs ransomware, it’s often Ryuk.

Healthcare continues to be a prime target of scammers, as:

• The industry has known weaknesses, primarily due to the proliferation of connected but vulnerable devices. For example, it’s not practical to throw away a multi-million dollar MRI machine that still works just because it runs an outdated operating system
• Healthcare organizations have a significant amount of valuable Personally Identifiable Information (PII) such as SSNs, dates of birth, drivers licenses, etc. Of course, they also possess Protected Health Information (PHI) such as blood test results, genetic history, diagnoses, etc. – data that is difficult to come by elsewhere, and can be used to fake medical claims and purchase controlled substances
• If malicious actors can cripple a healthcare organization with ransomware, the victim may not be able to provide care. Creating a crisis that threatens lives can be a strong motivator to pay a ransom

Criminals are likely re-purposing Emotet and Trickbot in response to improved cybersecurity controls and awareness programs more successfully blocking and repelling their attacks. To keep pace with their attackers, healthcare organizations should:

• Ensure budgeting for a strong cybersecurity program is a priority, not an afterthought
• Conduct regular training to help avoid phishing and social engineering attacks
• In a Windows environment, use Microsoft User Account Control to require that all personnel log in as “users” and not “administrators” of their workstations, and that applications run in the “user context” as often as possible
• Consider adding application white-listing to their arsenal of cybersecurity defenses