New research by Netskope Threat Labs has revealed that infostealers were the primary malware and ransowmare families used to target the healthcare sector. Healthcare was among the top sectors impacted during 2023 by mega breaches, an attack where over one million records were stolen. The report also examined the continued increase in cloud app adoption in the healthcare sector as well as malware trends across the sector.
The report is based on anonymised usage data collected about a healthcare sector subset of Netskope’s 2,500+ customers, all of whom give prior authorization for their data to be analysed in this manner.
Infostealers are a prominent malware family for the healthcare sector as attackers attempt to steal valuable data from organisations and patients in order to further blackmail or ransom the data. In particular, the research found that the Clopp ransomware gang was particularly active targeting healthcare and health insurance organisations, exploiting the CVE-2023-34362 MOVEit vulnerability.
The research also found that malware downloads increased in 2024 but plateaued in H2. Cloud delivered malware ended the year at approximately 40% of malware downloads in the healthcare sector after a peak of 50% in June which then dipped a little in the second half of the year. Healthcare trended slightly below other industries but cloud-delivered malware in the sector grew considerably year-on-year – up from just 30% a year ago.
Notably, the healthcare sector appeared to have the lowest percentage of malware sourced from the cloud in the past 12 months, ranking 6th at approximately 40% of total malware downloads, behind telecoms, financial services, manufacturing, retail, technology, state and local government and education.
Cloud apps are increasingly a target for malware as they give attackers the ability to evade regular security controls that rely on tools such as domain block lists and monitoring of web traffic, and such attacks impact companies that do not apply zero trust principles to routinely inspect cloud traffic.
While Microsoft OneDrive remained the most popular app in the healthcare sector, its use was significantly lower than other sectors. Slack was second for uploads, behind OneDrive, and fifth for downloads, significantly higher than in other sectors. However, this usage trend did not correlate with the number of malware downloads from the app – it was not even in the top 10 sources.
As Slack is a robust enterprise app, attackers need to use different tactics and content to target users who need to accept or share invites to external channels. This is a more complex process when compared with other consumer messaging apps like Whatsapp that could be used on a corporate device. Instead, attackers would use Slack as a command and control server, as its API provides a flexible mechanism to upload (or exfiltrate) data.
Paolo Passeri, Cyber Intelligence Principal at Netskope said: “Malware and infostealers shouldn’t be the only concern for the healthcare sector, they should also consider the vulnerability of their supply chain and apply the same zero trust strategy they would in their own organisation to third-parties in the supply chain.”
