Dec 21 2022

CISA Warns Healthcare Organizations of Cuba Ransomware Threat

One foreign healthcare system has already been compromised by Cuba ransomware actors. Here’s how health IT leaders can strengthen their security posture to mitigate the threat.

Cuba ransomware actors, with no connection to the Republic of Cuba, have continued to attack U.S. entities, including healthcare organizations, since they were first identified in November 2021. The FBI and the Cybersecurity and Infrastructure Security Agency released a new cybersecurity advisory (CSA) this month warning health IT leaders that the number of U.S. entities compromised by Cuba ransomware has doubled since December 2021.

Not only has the frequency of attacks increased, but their tactics, techniques and procedures (TTPs) have become more sophisticated. According to the CSA, third-party sources have identified possible links between Cuba ransomware actors, RomCom remote access Trojan actors and Industrial Spy ransomware actors.

Cuba ransomware actors have gained entry to the systems of healthcare and other critical infrastructure sectors through known software vulnerabilities, phishing campaigns, compromised credentials and remote desktop protocol tools.

Click the banner below for more HealthTech content on security and zero trust.

Since spring 2022, Cuba ransomware actors have deployed new TTPs to compromise networks. According to Palo Alto Networks Unit 42, these actors move laterally through compromised environments while using tools to evade detection.

“In addition to deploying ransomware, the actors have used ‘double extortion’ techniques, in which they exfiltrate victim data, and (1) demand a ransom payment to decrypt it and, (2) threaten to publicly release it if a ransom payment is not made,” states the CSA.

A foreign healthcare organization was compromised by Cuba ransomware actors deploying Industrial Spy ransomware.

How Health Systems Can Protect Themselves from Cuba Ransomware

Healthcare organizations can take several steps to mitigate the effects of a Cuba ransomware attack. Among them are implementing a data recovery plan, requiring all accounts with password logins to comply with National Institute of Standards and Technology standards for developing and managing password policies, and requiring multifactor authentication.

Other mitigation tactics include:

  • Keeping operating systems, software and firmware up to date
  • Segmenting networks
  • Implementing a network monitoring tool to identify, detect and investigate abnormal activity
  • Installing and regularly updating real-time detection for anti-virus software
  • Auditing user accounts with administrative privileges and implementing least-privilege access
  • Disabling unused ports
  • Maintaining offline data backups
  • Ensuring all backup data is encrypted and immutable

Healthcare organizations facing a ransomware threat should report the incident to the FBICISA or the U.S. Secret Service.

UP NEXT: How zero trust protects patient data against the most serious security threats.

sturti/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT