Defending Against SaaS Ransomware: Insights from the UnitedHealth Breach and Strategies for Enhanced Security

High-profile ransomware attacks are all too familiar in the news. No one is immune. Today’s ransomware gangs are targeting organizations across all industries. Healthcare organizations are especially targets of attackers due to the sensitive and valuable data these hold. 

Earlier this year, a massive breach of Change Healthcare led to significant disruption in healthcare claims and financial repercussions. Let’s see what happened and what protective measures could have been used to prevent the attack.

What is the UHC Change Healthcare Breach?

In February 2024, a cyberattack was launched on Change Healthcare, a UnitedHealth Group subsidiary. It left the company reeling and led to significant financial fallout. The well-known ransomware group BlackCat (aka Alphv) carried out the attack. Over six terabytes of sensitive data were leaked before holding the systems hostage with ransomware. 

The stolen data included millions of individuals’ personal, financial, and health information. The span and scope of the attack included a vast segment of the American population. 

Financial impact

UnitedHealth Group has paid more than $3.3 billion to providers affected by the cyber attack. This amount includes expenses related to:

• Investigating the breach
• Reinforcing security measures
• Compensating affected parties 

This number will likely grow with legal costs due to mounting lawsuits and regulatory scrutiny.

How did the UnitedHealth breach happen?

Hackers infiltrated Change Healthcare’s IT systems on February 12, 2024, and remained undetected for over a week. The attack began with compromised credentials allowing initial access. How did they gain access to the credentials? They could have likely used a phishing attack or some other means to gain access to a compromised account.

Attackers then used the compromised credentials to log into an application, allowing remote network access. It was an easy target since multi-factor authentication was not enabled.

Once they had a foothold in the environment, attackers moved laterally through the network. This reconnaissance stage allows attackers to get a “lay of the land” and understand the most critical systems and data. Following the ransomware attack on February 21, six terabytes of sensitive data were stolen, including personal, financial, and health information. 

The breach caused significant disruptions across provider networks and highlighted organizations’ need for adequate security measures. These include enabling multi-factor authentication and regular monitoring of network activities​​.

Potential Preventative Measures

While the breach had devastating effects, several strategies could have potentially mitigated or even prevented the attack:

• Enhanced security protocols, including MFA
• Regular risk assessments
• Employee training and awareness
• Data encryption and segmentation
• Incident response planning

Enhanced Security Protocols

Organizations today must adopt enhanced security protocols to prevent attacks such as the one of Change Healthcare. It includes implementing a zero-trust architecture. Zero-trust is an access methodology where no user or device is inherently trusted. Requests are verified regardless of where they originate. By doing this, it reduces the risk of unauthorized access.

Multi-factor authentication (MFA) is an extra security layer for authentication systems. With MFA, multiple verification “factors” are required before access is granted. Usually, it combines something you know (a password) with something you have (a one-time password device like a smartphone). 

It makes it much more difficult for attackers to gain access even with compromised user credentials​. As shown in the Change Healthcare breach, multi-factor authentication could have helped protect the vulnerable app that attackers used for the breach.

Regular risk assessments

Risk assessments across the board are a vital part of any sound cyber security strategy. However, organizations need to leverage automated risk assessments with the sheer “width and breadth” of hybrid landscapes today, including SaaS apps and services.

When security audits are carried out regularly, they help find and mitigate vulnerabilities. These help organizations detect potential weaknesses in their cybersecurity defenses and any known or discovered vulnerabilities in applications or networks. It helps to identify and prioritize patches needed in affected systems before attackers can exploit these.

Running regular and automated risk assessments in SaaS environments helps businesses identify insecure SaaS applications and prevent these from compromising the environment. Preventing these dangerous SaaS integrations helps strengthen cybersecurity defenses.

Employee Training and Awareness

Phishing may have been the means that attackers used to get their hands on compromised credentials to allow access to the remote access systems in the Change Healthcare network. Cybersecurity training helps end-users recognize phishing attacks and report these properly to SecOps or IT operations teams who can investigate and take further action.

This investment in employee training and awareness is crucial in defending against cyberattacks. Phishing simulations can also help educate employees to recognize and properly respond to phishing attempts. It helps reduce the likelihood of successful social engineering attacks. 

Data Encryption and Segmentation

Data encryption is an important security technology. Organizations should encrypt data that is moving across the network (in flight) and stored on disk (at rest). Encrypted data that is stolen should be unreadable to an attacker. Backups also need to be part of the data encryption strategies for organizations. Backups contain production data.

Additionally, network segmentation divides the network into isolated segments. It helps limit the lateral movement of the spread of malware and restricts attackers’ access to critical systems and data. This approach can help minimize a breach’s potential damage as damage can be contained to a specific network segment​​.

Incident Response Planning

Incident response plans are a key part of the overall strategy and cyber security action plan. What is it exactly? It is a written series of steps usually approved by senior leadership that provides documentation on proceeding before, during, and after a security incident.

Incident response drills or “tabletop exercises” can help organizations become familiar with their action plan and discover weaknesses or hurdles they may need to overcome.

Automated incident response is essential. Today’s breach attempts often move quickly and are hard to detect. Artificial intelligence with machine learning helps organizations detect and respond much more rapidly than with manual human intervention. Leveraging AI and ML helps level the playing field against modern complex cyber attacks that move quickly.

SpinOne SaaS Ransomware Prevention and Data Protection

SpinOne makes use of artificial intelligence and machine learning. It detects and remediates threats like ransomware and data leaks in SaaS environments, including Google Workspace and Microsoft 365.

Key Features and Capabilities of SpinOne

• Real-Time Ransomware Detection and Mitigation: SpinOneI uses machine learning to monitor user activities and data flows within SaaS applications. These ML capabilities allow it to detect ransomware threats in real-time. It isolates and prevents the spread of malware across the organization.
• Data Loss Prevention (DLP): The platform enforces strict access controls and data encryption policies, which protect sensitive information from unauthorized access and exfiltration. Spin.AI monitors the SaaS environments and protects data both at rest and in transit.
• Automated Incident Response: SpinOne’s automated incident response can quarantine compromised accounts, revoke access permissions to ransomware processes, proactively restore affected data, and notify administrators immediately. 
• Data protection – SpinOne provides versioned incremental backups of SaaS data that is stored outside the production environment. Data is encrypted in-flight and at rest. Admins can restore or download data quickly during a security incident.
• Compliance and Data Privacy: The platform supports compliance with regulatory standards such as GDPR, HIPAA, and CCPA. This compliance support ensures organizations meet their legal obligations while securing their SaaS environments.

How Spin.AI Can Help Prevent Breaches Like the UnitedHealth Incident

Spin.AI has modern features that provide organizations with the tools for real-time cybersecurity protection. It uses artificial intelligence and machine learning to level the playing field with modern cyber attacks. These include automated incident response to contain ransomware attacks in SaaS environments automatically. 

It also helps quickly identify the characteristics of unusual data exfiltration that would be difficult to detect in SaaS environments without machine learning. With these features and capabilities it helps protect sensitive data and minimizes the financial and reputational damage caused by breaches.Learn more about SpinOne SaaS ransomware protection here.