The HHS Health Cybersecurity Coordination Center is warning the healthcare industry that Venus ransomware operators are targeting remote desktop services to encrypt Windows devices. At least one healthcare organization in the United States has fallen victim, according to the cybersecurity center, also known as HC3.
The warning comes on the heels of a widespread ransomware attack in October against CommonSpirit Health, one of the largest healthcare organizations in the country. CommonSpirit, which did not identify the type of ransomware that gained access to its system, was still working last week to restore some functionality lost in the attack.
Venus ransomware, which began operating in mid-August, has breached systems around the world, HC3 said in an analyst note. The report identifies indicators of the Venus variant and recommends a number of mitigations to protect against ransomware.
Ransomware incidents are on the rise in the healthcare industry as attackers looked at the large amount of patient data collected by providers. Venus is the latest in a wave of threats that HHS sounded the alarm about last year, with previous alerts focused on ransomware groups like Daixin Team and Hive.
Ransomware attacks on healthcare organizations doubled last year, affecting two-thirds of Sophos respondents, compared to 2020. The cybersecurity firm also found that threats are increasing in complexity and impact.
Cyber threats to third parties, such as medical device vendors and supply chain providers, are also skyrocketing, according to the American Hospital Association.
HC3 said the Venus ransomware will attempt to kill 39 processes associated with Microsoft Office application and database servers. According to the report, to protect against such attacks, it is vital to put publicly exposed remote desktop services behind a firewall.
Also known as Goodgame, the ransomware uses algorithms to encrypt files and will append the “.venus” extension. For each recorded file, a “goodgamer” file marker and other information is added to the end of the file.
HC3 recommends that organizations implement a recovery plan to retain multiple copies of data and servers in a separate location; segment networks and password protect offline data backups; regularly update antivirus software; and immediately install updates and patches for operating systems, software, and firmware.
The report also recommends adding a banner to emails from outside the organization, disabling unused ports and hyperlinks in received emails, enforcing multi-factor authentication, using NIST standards for password policies, and considering limiting the rate at which attackers can guess logins.
Saying that cyber vulnerabilities increasingly threaten patient safety and leave organizations vulnerable to data theft, Sen. Mark Warner, chairman of the Senate Select Committee on Intelligence and a Virginia Democrat, released a white paper this month in which he proposes regulatory requirements for health systems to improve cybersecurity.
