How Healthcare Providers Investigate And Prevent Cyber Attacks: Real-world Examples

According to IBM Security annual research, “Cost of a Data Breach Report 2024”, an average cost of a data breach in healthcare in 2024 was $9.77 million, the highest among all industries due to sensitive patient data and regulatory penalties. 

A Reality Check: Healthcare Cybercrime Scale

Just some more statistics from recent research:  

• Healthcare organizations faced a 28% increase in cyberattack costs from 2023 to 2024, highlighting the escalating financial threat (Ponemon Institute)

• Ransomware-related breaches in healthcare cost an average of $10.93 million per incident in 2024, reflecting the severe financial burden of these attacks (Sophos).

• Average ransom payment in healthcare surged to $2.03 million in 2024, up from $1.5 million in 2023, due to the high value of medical data (Chainalysis).

• 41% of healthcare data breaches in 2024 led to class-action lawsuits, with average settlement costs of $2.1 million per case (BakerHostetler).

Prevention Is Better Than Cure: How Threat Intelligence Helps

Considering the level and cost of the risk, cybersecurity reinforcement is one of the wisest investments a healthcare service provider can make right now.

An active market player of any scale must incorporate a security operations center armed with proven strategies, relevant tactics and state-of-the-art tools to withstand cyber attacks.   

Threat intelligence is the pillar of this structure. It’s about turning raw data into strategic insights that can be used to fortify network defenses against known and unknown threats.

It provides context to security events to prioritize response efforts and mitigate the aftermath.   

ANY.RUN’s Threat Intelligence Lookup is a search engine on cyber threats: IOCs, IOBs, IOAs, and TTPs required to investigate attacks and attackers.

It works with a database of malware samples analyzed in the Interactive Sandbox by a community of 500,000 security professionals and15,000 corporate SOC teams. 

Contact ANY.RUN to request 50 trial searches in TI Lookup and see how it helps to investigate threats specific to your business. 

1. Express Research, Immediate Action

Check any suspicious file that has emerged in your network by a simple TI Lookup search request.

In this example, we see that the file has been just recently flagged as malware and analyzed in ANY.RUN’s Interactive Sandbox.  

filePath:”upd_9488679.exe” 

It turns out to be a part of Interlock malware inventory.

Interlock is ransomware that has been targeting the healthcare sector in recent years, performing successful attacks with major financial losses, dramatic operational disruption, and deep brand damage for the victims.  
 
Use the malware name as a search request and find more analysis sessions with Interlock samples in the sandbox.

View the analyses to study Interlock behavior, TTPs, and gather more IOCs for setting up your monitoring and alert systems.  

2. Sleeper Agent Exposure

While ransomware strikes rapidly, malware like stealers or backdoors can sit in your system stealthily for a period of time supporting their persistence and evading detection.

TI Lookup is a threat hunting solution that can assist in discovering such malware by some less obvious indicators of compromise like mutexes.

(syncObjectName:"PackageManager" or syncObjectName:"DocumentUpdater") and syncObjectOperation:"Create" 

We can see that the combination of benign-looking mutexes PackageManager and DocumentUpdater might be an indicator of BugSleep backdoor exploited by a well-known APT group MuddyWater from Iran.  

3. Nipping Data Leaks In The Bud

Phishing is a main malware delivery tactic and data theft device, so it’s extremely important for proactive protection to detect and block phishing inventory like malicious URLs and domains. 

domainName:"supermedicalhospital.com" 

The domain that we have searched has not yet been flagged as malicious, but it has been detected in fresh malware samples which is a big fat alarm by itself.

Additionally, the search has delivered several IPs that can be researched as potential IOCs.  

4.  Proactive Prevention

We can’t stress the importance of prevention enough, as well as TI Lookup’s potential in this challenge.

Proactive protection saves businesses money, time, and reputation, but it is permanent effort and an integral part of cybersecurity routine.

Tools like Threat Intelligence Lookup can make it much more efficient. For example, let us imagine that we are a German hospital, and we want to know what threats are holding us at gunpoint.

Our search query combines the most pressing type of malware and the location indicator:  
submissionCountry:”de” AND threatName:”ransomware” 

The results indicate that German malware analysts are extremely busy right now researching multiple fresh samples of ransomware, including such sinister strains as Virlock and Birele. 

Click the bell icon in the top right corner to subscribe to the updates on this query to keep tabs on the emerging and most actual threats.  

Another way of selecting samples of a particular malware for closer research and investigation are YARA rules integrated in TI Lookup.

The rule on the screenshot detects Agent Tesla malware: click the Scan button to find malware processes, IOCs, and sandbox analysis sessions featuring Agent Tesla. 

Conclusion

Cyber attacks and malware are especially dangerous for healthcare companies because of the sensitive nature of the data they hold, the critical need for system uptime, and the severe consequences of disruptions or data breaches up to life-threatening errors.  
 
Many healthcare systems run on outdated software or have inconsistent patching practices, and staff often lacks cybersecurity training, which increases susceptibility to phishing or social engineering.

In these circumstances, a systematic approach to proactive cyber defense is vital not only for business, but for its customers and the whole society.  

Threat Intelligence Lookup from ANY.RUN provides SOC teams with a top-notch solution for: 

• Threat identification and triage: Uncover attacks behind alerts with quick indicator search to block them before they escalate.
• Incident response: Collect attack IOCs, IOAs, IOBs, TTPs, and observe its full execution chain inside the sandbox for more accurate response.
• Proactive security: Enrich your defense with fresh indicators from the latest samples to prevent incidents, including with auto-updates.
• Threat hunting: Run proactive searches on artifacts found in your network to pin them to actual threats.
• Forensic analysis: Investigate system events and indicators to discover missing attack details.

Take your cybersecurity to the next level, discover TI Lookup’s features with 50 trial search requests.