Healthcare News & Insights

Everything you need to know about Orangeworm – A new criminal group making the rounds in healthcare

Hospitals are no stranger to malware and ransomware attacks. From WannaCry’s impact on National Health Services to the myriad data breaches we’ve seen over the past decade, the health sector is a constant target. In this guest post, Max Emelianov, CEO of a web hosting company, tells you about a new attack group that has surfaced – an especially nasty one.


Most hackers are little more than greedy opportunists. They’ll seek the path of least resistance, whichever will get them the most money for the least effort. What this means is most criminals exclusively target organizations with poor security or otherwise take a ‘shotgun’ approach to their criminal activities.

This paradigm makes it more noteworthy when a criminal enterprise surfaces that launches carefully-planned, targeted attacks.

Orangeworm is one such collective. Recently identified by Symantec, the group has been in operation since at least 2015. In that time, it has installed a custom backdoor by the name of Trojan.Kwampirs on several large, international healthcare corporations within Europe, the United States and Asia.

“Based on the list of known victims,” reads the Symantec brief, “Orangeworm does not select its targets randomly or conduct opportunistic hacking. Rather, the group appears to choose its targets carefully and deliberately, conducting a good amount of planning before launching an attack.”

“Almost 40% of Orangeworm’s confirmed victim organizations operate within the healthcare industry,” the report continues. “The Kwampirs malware was found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines. Additionally, Orangeworm was observed to have an interest in machines used to assist patients in completing consent forms for required procedures. The exact motives of the group are unclear.”

That last part is what’s particularly frightening about this whole scenario. Although it seems likely that Orangeworm wants to mine healthcare providers, pharmaceutical companies and solutions providers for protected health information (PHI), the fact that it has targeted such a wide array of machines means it may have some ulterior goal. According to Edgy Labs, the main focus appears to be learning about the devices the group has infected.

The good news is protecting your organization from Kwampir – and many malicious programs like it – is quite simple. As with many viruses, it tends to work better on older operating systems, which may have unpatched vulnerabilities and security bugs it can exploit. Your best defense is to ensure your infrastructure is entirely up to date, and that you aren’t using any software that’s reached end of life (like Windows XP).

Beyond that, it’s just a matter of basic cybersecurity best practices. Train your staff to recognize and respond to potential security threats, monitor the flow of data through your network and ecosystem, ensure you’re always in control of your most important assets, and do everything necessary to be compliant. All stuff you should be doing anyway.

At the end of the day, you really can’t do much if an advanced hacking group like Orangeworm decides to target you – all you can do is hope your security holds up, and that you’re able to mount an effective response that minimizes and mitigates the damage they’re able to cause.

Max Emelianov is CEO of HostForWeb, a web hosting company focused on providing the best support for its customers while delivering cutting-edge web hosting services.


Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.

Speak Your Mind