McAfee Labs Report ‘Follows the Money’ to Assess Criminal Operations Behind Hospital Ransomware




Investigation tracks hospital ransomware payments through Bitcoin accounts; Ransomware, mobile, and macro malware threats surge in Q2 2016

  • Intel Security tracks $100,000 in targeted hospital ransomware payments through suspect Bitcoin accounts; investigates operations of $121 million ransomware network
  • Intel Security survey shows healthcare and manufacturing sectors are among the least prepared to prevent data loss
  • More than 25% of companies surveyed do not monitor sharing of or access to employee or customer data
  • Only 37% of organizations surveyed use endpoint monitoring of user activity and physical media activity
  • 90% of respondents have cloud protection strategies, but only 12% have visibility into data activity in the cloud
  • New mobile malware reaches highest level recorded in Q2 2016; total mobile malware grows 151% year over year
  • Total ransomware grows 128% year over year; macro malware grows 106%


SANTA CLARA, Calif., September 14, 2016 – Intel Security today released its McAfee Labs Threats Report: September 2016, which assesses the growing ransomware threat to the healthcare industry, surveys the “who and how” of data loss, explains the practical application of machine learning in cybersecurity, and details the growth of ransomware, mobile malware, macro malware, and other threats in Q2 2016.

Following a rash of targeted ransomware attacks upon hospitals in early 2016, Intel Security investigated the attacks, the ransomware networks behind them, and the payment structures enabling cybercriminals to monetize their malicious activity. The researchers identified nearly $100,000 in payments from hospital ransomware victims to specific Bitcoin accounts. While healthcare is still clearly a small proportion of the overall ransomware “business,” McAfee Labs expects a growing number of new industry sectors to be targeted by the extensive networks launching such attacks.

In the first half of 2016, our researchers identified a ransomware author and distributor who appeared to receive $121 million (BTC 189,813) in payments from ransomware operations targeting a variety of sectors. Dark net discussion board communications suggest that this particular cybercrime actor had accumulated profits of $94 million during the first six months of this year.

The scale of the operation is in line with research McAfee Labs conducted with its Cyber Threat Alliance partners in late October 2015, when the group uncovered a ransomware operation using the CryptoWall ransomware strain to extort nearly $325 million over the course of two months.

The research team attributes the increased focus on hospitals to such organizations’ reliance on legacy IT systems, medical devices with weak or no security, third-party services that may be common across multiple organizations, and hospitals’ need for immediate access to information to deliver the best possible patient care.

“As targets, hospitals represent an attractive combination of relatively weak data security, complex environments, and the urgent need for access to data sources, sometimes in life or death situations,” said Vincent Weafer, Vice President for Intel Security’s McAfee Labs. “The new revelations around the scale of ransomware networks and the emerging focus on hospitals remind us that the cybercrime economy has the capacity and motivation to exploit new industry sectors.”

Intel Security 2016 Data Loss Prevention Study

The Q2 report also features the results of a primary research study assessing data loss incidents, including the types of data leaking out, the ways data exits organizations, and the steps organizations must take to take to improve the capabilities of data loss prevention.

The survey found that retail and financial services organizations have deployed the most extensive protections against data loss, a finding McAfee Labs attributes to organizational responses to the frequency of cyber-attacks and the value of the data held by companies in these two sectors. Having sustained fewer cyber-attacks historically, healthcare and manufacturing enterprises have made fewer IT security investments and, accordingly, possess the least comprehensive data protection capabilities.

McAfee Labs researchers find the weaker defences in these two sectors particularly disturbing given that cybercriminals continue to shift their focus from easily replaceable payment card numbers to less perishable data such as personally identifiable information, personal health records, intellectual property, and business confidential information.

“Industry sectors such as healthcare and manufacturing present both opportunity and motive for cybercriminals,” Weafer continued. “Their relatively weak defensive capabilities coupled with highly complex environments simplify breaches and subsequent data exfiltration. The cybercriminals’ motive is ease of monetization, with less risk. Corporations and individuals can easily cancel stolen payment cards soon after a breach is discovered. But you can’t change your most personal data or easily replace business plans, contracts, and product designs.”

The research revealed that more than 25% of respondents do not monitor the sharing of or access to sensitive employee or customer information, and only 37% monitor the usage of both, although this figure rises to almost 50% for the largest organizations.

The survey results also show that nearly 40% of data losses involve some kind of physical media, such as thumb drives, but only 37% of organizations use endpoint monitoring of user activity and physical media connections that could counter such incidents. While 90% of respondents claim to have implemented cloud protection strategies, only 12% are confident in their visibility into the activity of their data in the cloud.

Weafer concluded: “We will always face challenges as we work to prevent the exfiltration of data, wherever it is stored and however it is handled. But organizations can learn a great deal from this study’s consistent theme of the value of greater visibility into events and incidents across the enterprise, and the longer-term value of the data drawn from this monitoring to construct stronger security postures.”

Q2 2016 Threat Activity

In the second quarter of 2016, McAfee Labs’ global threat intelligence network detected 316 new threats every minute, or more than 5 every second, and registered notable surges in ransomware, mobile malware, and macro malware growth:

  • Ransomware. The 1.3 million new ransomware samples in Q2 2016 was the highest ever recorded since McAfee Labs began tracking this type of threat. Total ransomware has increased 128% in the past year.
  • Mobile malware. The nearly 2 million new mobile malware samples was the highest ever recorded by McAfee Labs. Total mobile malware has grown 151% in the past year.
  • Macro malware. New downloader Trojans such as Necurs and Dridex delivering Locky ransomware drove a more than 200% increase in new macro malware in Q2.
  • Mac OS malware. The diminished activity from the OSX.Trojan.Gen adware family dropped new Mac OS malware detections by 70% in the second quarter.
  • Botnet activity. Wapomi, which delivers worms and downloaders, increased by 8% in Q2. Last quarter’s number two, Muieblackcat, which opens the door to exploits, fell by 11%.
  • Network Attacks. Assessing the volume of network attacks in Q2, denial-of-service attacks gained 11% in the quarter to move into first place. Browser attacks dropped by 8% from Q1. These most prominent attack types were followed by brute force, SSL, DNS, Scan, backdoor, and others.

For more information on the financial impact of ransomware attacks on hospitals, please see our blog entitled “Healthcare Organizations Must Consider the Financial Impact of Ransomware Attacks.”

For more information on these focus topics, or more threat landscape statistics for Q2 2016, visit for the full report.

For guidance on how organizations can better protect their enterprises from the threats detailed in this quarter’s report, visit Enterprise Blog.

For online safety tips on how consumers can protect themselves from the threats mentioned in this report, visit Consumer Safety Tips Blog.


About McAfee Labs

McAfee Labs is the threat research division of Intel Corporation’s Intel Security Group, and one of the world’s leading sources for threat research, threat intelligence, and cybersecurity thought leadership. The McAfee Labs team of researchers collects threat data from millions of sensors across key threat vectors—file, web, message, and network. It then performs cross-vector threat correlation analysis and delivers real-time threat intelligence to tightly integrated McAfee endpoint, content, and network security products through its cloud-based McAfee Global Threat Intelligence service. McAfee Labs also develops core threat detection technologies—such as application profiling, and graylist management—that are incorporated into the broadest security product portfolio in the industry.

About Intel Security

McAfee Labs is now part of Intel Security. With its Security Connected strategy, innovative approach to hardware-enhanced security and unique McAfee Global Threat Intelligence, Intel Security is intensively focused on developing proactive, proven security solutions and services that protect systems, networks and mobile devices for business and personal use around the world. Intel Security is combining the experience and expertise of McAfee with the innovation and proven performance of Intel to make security an essential ingredient in every architecture and on every computing platform. The mission of Intel Security is to give everyone the confidence to live and work safety and securely in the digital world.

McAfee Canada, now part of Intel Security, maintains a website called “The State of Consumer and Enterprise Security in Canada” ( in order to provide a one-stop shop for writers looking for information on a variety of trends and issues affecting and shaping the Canadian security landscape. Feel free to check out the McAfee Canada resource site for security information, statistics, story ideas, and access to published McAfee surveys and studies.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.