3 Key Entry Points for Leading Ransomware Hacking Groups

Ransomware attacks rapidly increased in sophistication and impact this year, with healthcare as a prime target. Providers need to understand the entry points used by these hacking groups.

The number of successful ransomware attacks declined amid the COVID-19 pandemic, but security leaders warned hacking groups have not ceased the barrage of attacks on healthcare. Understanding the key entry points of these sophisticated attacks will be crucial to reducing their success.

As Germany reported this week that a patient died as a direct result of a ransomware attack, the threat to patient safety is no longer a hypothetical situation.

In just the last few weeks, the data from at least five healthcare providers have been posted on the dark web for sale. The NetWalker, SunCrypt, and Pysa, or Mespinoza, and REvil hacking groups claim to have exfiltrated data from these entities before launching ransomware payloads.

These double extortion attempts have been made popular by the Maze ransomware hacking group. Hackers first gain access onto a victims’ network through a foothold, whether a known vulnerability, a successful phishing email, brute-force attack, or other means, then proliferate to all connected devices.

Often these hackers will remain on the network undetected, sometimes for months, conducting espionage and stealing sensitive data, while waiting for the ideal time to launch the ransomware payload. 

When the entity refuses to pay, the more sophisticated hacking groups will then attempt to extort the organizations by posting “proofs” of data allegedly stolen by the attackers and give the provider a certain timeframe to pay the ransom demand or else the rest of the data will be publicly leaked.

In fact, research shows that more than one in 10 ransomware attacks result in data theft. Given the severity of these attacks and the prevalence in the healthcare sector, shoring up the commonly exploited entry points will prove critical to preventing a successful attack.


In June, Proofpoint reported a drastic increase in ransomware attacks delivered through email-based phishing campaigns. Researchers noted it was a stark contrast to 2019, where hackers primarily leveraged downloaders as the initial payload.

“This recent emergence of ransomware as an initial payload is unexpected after such a long, relatively quiet period,” researchers explained, at the time. “The change in tactics could be an indicator that threat actors are returning to ransomware and using it with new lures.” 

“Various actors trying ransomware payloads as the first stage in email has not been seen in significant volumes since 2018,” they continued. “While these volumes are still comparatively small, this change is noteworthy. The full significance of this shift isn’t yet clear, what is clear is that the threat landscape is changing rapidly, and defenders should continue to expect the unexpected.” 

For example, one of the latest ransomware variants known as Zeppelin, is delivered through Microsoft Word documents that contain a malicious macro, using typical the typical ransomware method of leveraging documents that attempt to lure victims into enabling VBA macros to launch the virus.