Cyberwarfare v.s. Ransomware: Visibility and Control in Healthcare

Airgap Networks
5 min readMar 9, 2022


Russian-Ukraine cyber conflicts and potential threats to healthcare

Isolate, Profile and Secure with Agentless Segmentation

Russia’s unprovoked attack on Ukraine, which has involved cyberattacks on the Ukrainian government and critical infrastructure organizations, may impact organizations both within and beyond the region. Destructive malware can pose a significant threat to an organization’s day-to-day operations, compromising the availability of critical assets and data availability. The Microsoft Threat Intelligence Center (MSTIC) reported on January 15, 2022, that malware known as WhisperGate was being used to attack enterprises in Ukraine. WhisperGate is designed to be destructive, rendering targeted devices dysfunctional. WhisperGate corrupts the system’s master boot records and displays a fake ransomware note to the victim while encrypting the file based on certain file extensions.

On February 23, 2022, cybersecurity experts revealed that HermeticWiper malware was being launched against enterprises in Ukraine. According to SentinelLabs, the ransomware targets Windows devices, modifying the master boot record and causing subsequent boot failure. Cybercriminals have used ransomware to target the healthcare business. Most recently, details have come to light exposing the extent of the ransomware attack against Ireland’s Health Services Executive IT systems, affecting 250 systems and costing upwards of €100 million. Appointments for about 7,000 patients a day are still being canceled, almost two weeks after a criminal gang hacked the HSE systems with ransomware.

The Russia-Ukraine crisis raises the potential of ransomware attacks and other cyber risks for businesses based in the United States, including those in the healthcare industry. According to the Department of Health and Human Services (“HHS”) the WannaCry, HermeticWiper, and WhisperGate ransomware variants are being used by the Russians, who also have the cyber power, to engage in multiple cyberattacks on hospitals and healthcare systems, resulting in surgeries, radiology exams, and other patient procedures to be canceled.

What is the impact of the Russian-Ukraine Cyberwarfare?

A cyber analysis released on Wednesday by intelligence agencies in the United Kingdom and the US blamed malicious new malware on an infamous Russia-backed hacking organization. The National Cyber Security Centre in the UK and US organizations like the National Security Agency collaborated on the study. They were warned by the Cybersecurity & Infrastructure Security Agency (CISA) that the organization, Sandworm, has developed a new form of malware known as Cyclops Blink, which targets firewall hardware manufactured by WatchGuard to defend PCs from hacking.

According to Paul Prudhomme, Head of Threat intelligence advisory at Rapid7, state-sponsored Russian actors could also pose as criminals by using ransomware to disrupt foreign targets, as they did in the 2017 NotPetya ransomware operation that targeted Ukraine. The assault infiltrated one-third of all NHS hospitals in the UK, generating an estimated £92 million in damage. Although ransomware assaults have been on the rise for several years, the number of incidents has skyrocketed in the last 12 to 18 months because of the Russia-Ukrainian conflict.

What are the consequences of the Russian-Ukrainian Cyber War?

Entities in the healthcare and public health sectors should be proactive in monitoring for and guarding against wiper malware and assaults from Russian-linked threat groups. Security researchers have discovered a number of HermeticWiper and WhisperGate Ransomware variants in the wild, and the American Hospital Association instructed healthcare organizations to consult with security providers to better understand the threat and its consequences. In the event of a ransomware attack, these resources contain recommended defensive, mitigation, and recovery measures, as well as indicators of compromise.

Many security professionals recommend agentless security such as Airgap Zero Trust Segmentation solution to eliminate zero-day ransomware attacks. The service integrates seamlessly with our patented Ransomware Kill Switch™ to proactively provide policy-based and autonomous cyber incident response so whatever IP devices are connected and be defended with zero trust.

Ukraine has been hit by more cyber-attacks, which its government says are “on a completely different level” as reported by BBC during the conflict. Earlier on Wednesday, the websites of several Ukrainian banks and government departments became inaccessible due to several ransomware attacks causing up to $72 million to the economy, including healthcare. Attackers’ demands are rising in tandem with the rise in ransomware attacks, with the average ransom already above $84,000. Companies must also consider additional hidden costs, such as lost productivity, that can result from a successful assault, in addition to this evident cost.

Most security pros believe it’s only a matter of time until any organization suffers a penetration of its perimeter security. Network segmentation provides the only hope to drastically reduce or eliminate the consequences of a successful attack. Properly implemented, it has the potential to prevent ransomware from spreading beyond its initial landing site and limit its ability to successfully encrypt other assets.

According to Harbor Labs, Russian-sponsored malware may exhibit the same characteristics as ransomware such as WannaCry, which spread beyond its intended target to impact a wide range of internet-connected medical or healthcare devices, the internet of things, and hospital IT systems, as well as associated healthcare systems and medical devices.

As healthcare providers integrate more and more medical devices through the internet in an effort to streamline collaboration, patient monitoring and diagnosis it clears the way for potential threat actors to execute cybersecurity attacks designed to paralyze critical infrastructure and encrypt ePHI information through IT and OT configuration silos.

Having a cybersecurity defense plan for OT infrastructure is critical for any organization that uses the IoMT to assist in healthcare operations.

Zero Trust Isolation. Zero Jailbreaking. Zero False Positives.

On the network side, security starts with visibility and intelligence. Airgap Zero Trust Isolation discovers and ringfences all IP-connected devices to stop any chance of jailbreaking and provides complete profiling discovery with granular communication observability on all managed or unmanaged systems.

In addition, Airgap’s patented Ransomware Kill Switch™ will enforce rapid response policies in the event of cyberattacks. Airgap recommends heightened vigilance in monitoring networks for abnormal activity and mobilization of response actions as necessary.

On the application side, Airgap provides the agentless Secure Asset Access solution which serves as the reverse proxy with OpenID Connect compatible MFA SSO into any legacy RDP or SSH applications with time-based “just-in-time” access to any EMR and EHR systems that have PII or ePHI compliance implication.

Airgap recommends the healthcare industry Install internet security software to keep computers and their connected devices computer safe and shielded from ransomware attacks. For IT practitioners in the healthcare industry, it is critical to mobilize zero trust security to stop the infection from propagating to any inter or intra-VLAN systems without relying on agents. Choose a complete solution for total network and application security to shield your infrastructure with full visibility and autonomous segmentation against emerging threats. Airgap Zero Trust Segmentation provides the continuous learning and monitoring of the network and analyzes every IP address associated with healthcare devices without agents.

Curious how Ransomware Kill Switch works? See it in action. Schedule Now.



Airgap Networks

Zero Trust Isolation — The Best Defense Against Ransomware Propagation.