Connect with us

Hi, what are you looking for?


Malware & Threats

These Were the Top Threats Targeting Healthcare Firms in Q4 2016

Healthcare is a consistent target for cybercriminals, with IBM’s 2016 Cyber Security Intelligence Index claiming it had become the single most attacked industry. Today FortiGuard Labs has released details on the top 5 methods used to attack healthcare in Q4, 2016.

Healthcare is a consistent target for cybercriminals, with IBM’s 2016 Cyber Security Intelligence Index claiming it had become the single most attacked industry. Today FortiGuard Labs has released details on the top 5 methods used to attack healthcare in Q4, 2016.

The research draws on telemetry gathered from 454 healthcare companies in 50 different countries. It outlines the top five threats detected in malware, ransomware, mobile malware, IPS events, botnets, and exploit kits.

The top malware threat comes from VBS/Agent.LKY!tr with more than 85,000 detections. This is best known as the initial attack vector for a ransomware attack. The second most prevalent malware is Riskware/Asparnet, with close to 78,000 detections. This is usually installed unintentionally, and is designed to collect sensitive information. 

Unsurprisingly, given the size of the ransomware threat to the healthcare industry, four of the top five malware threats have a ransomware connection. The remaining three are VBS/Agent.97E!tr (31,000 detections), JS/Nemucod.BQM!tr (30,000 detections), and JS/Nemucod.76CD!tr.dldr (28,000 detections).

By far the most prolific ransomware detected during this period was CryptoWall, accounting for 91% of all ransomware infections detected. Cerber accounted for 6% of detections, and TorrentLocker for 3%. TeslaCrypt and Locky were also detected, but each at less than 1% of infections.

Mobile malware is a particular concern for the healthcare industry given the mobility of much of the workforce — doctors and nurses spend much of their time moving between patients and visiting home patients. Android malware occupies all five top slots for mobile malware detected during Q4 2016. This is unsurprising given the prevalence of Android devices and the open nature of the operating system compared to that of iOS. “This could be due to the fact that Android devices allow users to easily install apps from 3rd party sources, which could sometimes be loaded with Android-based malware,” notes the report.

By far the most prevalant mobile malware is Android/Qysly.B!tr. With around 4700 detections during the period, this is twice the number of Android/Generic.Z.2E7279!tr detections (around 2300).

Advertisement. Scroll to continue reading.

IPS event detections shows that the internet of things is becoming a major attack vector, especially for healthcare. Top spot goes to VxWorks.WDB.Agent.Debug.Service.Code.Execution with nearly 1.9 million hits. “VxWorks is an operating system for embedded devices,” notes the report, “which includes medical devices such as CT/PET/X-ray instrumentation, infusion pumps, personal activity monitors, and many others.” The vulnerability was discovered in 2010, but criminals clearly believe that not all devices will have been patched.

The second most prevalent IPS event (Web.Server.etc.passwd.Access) has just over 500,000 detections, probing for misconfigured Unix-based web servers that may expose operating system usernames from /etc/passwd. Third is SQLi attempts on web servers; fourth are attempts to exploit Netcore/Netis routers; and fifth is ShellShock.

The top botnet detected is Andromeda, comprising a loader that has both anti-VM and anti-debug features that downloads modules and updates from its C2 server. Andromeda has been around since 2011. Second is H-worm, a VBscript-based botnet that steals sensitive information. Third is Necurs, particularly associated with delivering the Locky ransomware.

Conficker, one of the largest botnets ever known and dating back to 2008 is still there at number four — demonstrating that there are still many unpatched Windows systems around. Pushdo, at five, has also been around for several years. It is mostly associated with large spam campaigns.

The most frequently detected exploit kit is RIG, at 46%. “Coming in 2nd place at 23% is CK, followed by Angler (16%), Neutrino (12%) and other less popular exploit kits at 3%. Most of these exploit kits are used for ransomware distribution.”

Most of the threats against the healthcare industry are associated in one way or another with ransomware — due, says FortiGuard, “to the higher probability of collecting ransom when sensitive healthcare data is encrypted.” But FortiGuard has also detected many old threats against targets that should have been patched long ago. Patching is a problem for all industries, but operational medical devices are like the OT in industrial operations: there is a reluctance to tinker with critical systems that are working and in constant use.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.