Healthcare ransomware attacks exploded in the third quarter of 2017, with 40 million attacks using malicious URLs or attachments in that quarter alone, according to Proofpoint's 2018 Healthcare Threat Report.
Cybercriminals switched tactics in the fourth quarter, but ransomware techniques could return as a significant threat.
Proofpoint analyzed more than 100 million ransomware emails sent to hospitals, clinics and health insurers in the 12-month period ending March 31, 2018.
Here are six key findings from the report.
1. There was a high instance of business associates such as surgical groups, orthopedic partners and dentists being impersonated.
2. Almost one in five emails claiming to be from a healthcare organization was fraudulent. Approximately 8 percent of fraudulent emails impersonated the email domain of a healthcare institution.
3. More than three-fourths of attempts at email fraud used "payment," "request," "urgent," or "FYI" in the subject line.
4. Swapping characters such as "I" and "L" was a common way to create lookalike domains.
5. Attackers attempted to steal protected health information by using a trusted domain to send malicious messages; designing an email's "from" field to fool recipients; and registering a domain that looks like a trusted one.
6. Locky was the top ransomware variant. Other malware families targeting healthcare organizations included The Trick, Global Imposter, Pony and Hancitor.