Updates from Enzoic’s Threat Research Team
In the last Enzoic research update, we briefly discussed the travails of the healthcare industry and their challenges in establishing a successful cybersecurity posture in the face of a salivating cadre of identity thieves and ransomware operators. In the intervening few weeks, more analyses have been published, including the HIPAA journal’s article conferring the unfortunate award of “Most Breached Industry” for 2024, dethroning first-seeded Finance from its 2023 top position. During this time, we also dug a little deeper into the ransomware stats to try and see what’s going on.
Since January 1st, 2024, at least $189 million in ransoms has been paid to the cybercriminals over 205 attacks– an average ransom of about $924,000 per attack according to data compiled by Comparitech. These numbers don’t include the 169 attacks that did not have reported ransom amounts, so the total amount is likely much higher (and it’s difficult to know if any went unreported– healthcare incidents are often mandated to report due HIPAA laws and other regulations, but only if patient health information (PHI) is involved). This egregiously large sum of money makes it clear why threat actors are pursuing this avenue of cybercrime so tenaciously.
For security researchers, the natural question is “how?”: How are threat actors achieving these levels of successful ransomware deployment? It’s not a complicated question, but finding the necessary information to answer it can be difficult. Each organization’s attack surface and network is different and requires slightly different exploits or strategies, and the information (e.g. system logs, alerts, etc) may not always be available or provided to researchers for forensic examination. So, we have to rely on surveys, industry reports, and thus the visible trends/patterns to best understand how we can counter attacks and provide effective protection (not just post-hoc remediation).
One of the most-respected reports in the industry, the Verizon DBIR, analyzed 5,175 system intrusion incidents in their 2024 report, and concluded “…when prioritizing your efforts at protecting yourself, don’t neglect addressing malware infections, stolen credentials or unpatched systems as it may lead you to break out in Ransomware.”
This recommendation is supported by a recent Sophos report on ransomware in healthcare as well, which notes that “higher levels of legacy technology” is a contributing factor to the vulnerability of the industry. The report also states “In 2024, exploited vulnerabilities and compromised credentials (both at 34%) were the most common entry methods for ransomware attacks in this sector, followed by malicious emails, which were the root cause of 19% of attacks.” A strong cybersecurity posture is multi-faceted and multi-layered, but the entry vectors should be a primary concern to any organization trying to secure its IT infrastructure.
In an ironic turn of events this week (March 24, 2025), Troy Hunt’s well-known breach notification service “HaveIBeenPwned” itself suffered a breach when Mr. Hunt clicked on a link in a phishing email by mistake. This allowed threat actors to obtain his Mailchimp credentials and export his user email list. To his credit, Mr. Hunt immediately disclosed the breach and posted the details on his own site, notifying affected users and apologizing for the lapse. It can feel both amusing and ominous when cybersecurity organizations suffer cybercrime, but this incident should serve as a reminder to all of us as to just how susceptible anyone can be. While we all like to think that there’s no way we’d fall victim to a phishing email or malware-laden download, this attitude is only harmful to our ability to protect ourselves. The risk may never be fully eliminated, but multiple layers of prevention and adherence to best practices (e.g. not reusing passwords) can certainly help us prepare for the events that no one wants to believe will happen.
Human factors are of course a major, major component of cybersecurity. Blame and embarrassment are two huge behavioral obstacles to developing and implementing a strong security posture with regard to human factors. No one wants to admit they fell for a scam or fell victim to malware, certainly not publicly, and often not even to themselves. But unreported incidents are hard, if not impossible, to mitigate and timeliness is absolutely crucial in preventing or minimizing harm from cybercrime.
Unfortunately, remediating and updating software is often much easier than remediating and updating people. A ‘culture of cybersecurity’ often involves things that people find boring and frustrating, like frequent training, regular practice, constant learning, and vigilance. There’s no single solution or ‘right answer’ to this problem, but it certainly starts with organizational leadership setting a positive tone– valuing the time users/employees spend on security practices, and incentivising the behaviors and opportunities that support learning, vigilance, and good security habits.
Stolen credentials are a primary entry point for cybercriminals to execute account takeovers, data breaches, and ransomware attacks. These credentials are often obtained through infostealer malware or exposed databases and are then sold and traded on dark web forums and threat actor communication platforms. Once in the wrong hands, they enable unauthorized access to corporate systems and user accounts, leading to financial fraud, reputational damage, and compliance violations.
Healthcare data breaches continue to rise due to the vast attack surface of hospitals and medical facilities, including EHR systems, patient portals, employee logins, and IoT medical devices. Most or all of these systems have a login flow that grants access to crucial data or can be a springboard for further access into the environment. To mitigate risks, organizations should invest in proactive cybersecurity measures such as compromised password monitoring. This directly addresses the #1 cause of a data breach, compromised credentials, as found by Verizon’s DBIR report and IBM’s Cost of a Data Breach report.
AUTHOR
Dylan Hudson
Dylan leads the Threat Research team at Enzoic, developing and implementing cutting-edge threat intelligence infrastructure to help protect users and organizations from cyberattacks. When not at work, he can be found hiking and biking in the Rocky Mountains or playing traditional Celtic music on various stringed instruments.