Ransomware
Frequently Asked Questions Ransomware: Attacks on the US Healthcare Sector
On October 28, the Cybersecurity and Infrastructure Security Agency (CISA), FBI, and the Department of Health and Human Services (HHS) issued a joint advisory regarding an imminent ransomware threat that involves Ryuk and targets US hospitals and healthcare providers. Ryuk, which has already left an impact on many organizations, has also become one of the most widespread ransomware families in a short period.
Save to Folio
On October 28, the Cybersecurity and Infrastructure Security Agency (CISA), FBI, and the Department of Health and Human Services (HHS) issued a joint advisory regarding an imminent ransomware threat that involves Ryuk and targets US hospitals and healthcare providers. Ryuk, which has already left an impact on many organizations, has also become one of the most widespread ransomware families in a short period.
What is Ryuk ransomware?
Ryuk first appeared in August 2018, when it was first reported to have targeted several organizations across the globe. Since then, Ryuk has become a staple in the cybercrime scene. In fact, as one of the most ubiquitous ransomware families, it is responsible for a third of all ransomware attacks in 2020.
Ryuk employs a wide range of delivery methods. It is commonly known to be deployed by other malware families such as Trickbot or Emotet, as seen in an incident from early 2019 where malicious actors first used Trickbot to move laterally within their victim’s system before using it to deploy the ransomware. Ryuk has also been seen exploiting various vulnerabilities both as a propagation method and as part of its routine.
What makes Ryuk particularly dangerous is its ability to move laterally within the system. It uses both malicious tools and vulnerabilities like EternalBlue and Zerologon to propagate within a network. This means that instead of having to infect each endpoint individually, Ryuk merely has to get a foothold within the IT infrastructure to infect multiple machines.
Starting this year, Ryuk began using another dropper called BazarLoader (also known as BazarBackdoor). Like Trickbot, BazarLoader is also primarily distributed via phishing emails that contain either malicious attachments or links to websites (typically free, online file-hosting solutions) that host malware. These phishing emails use normal social engineering techniques: For example, they are usually disguised as business correspondence or other important messages. Once the payload is distributed, a command-and-control (C&C) server is used to deploy and install the backdoor. According to the advisory, the threat actor behind TrickBot is also connected to BazarLoader.
One of the characteristics that distinguishes Ryuk from previous ransomware families is the amount that is extorted by the malicious actors behind it. As of the first quarter of 2020, the ransomware payment for a Ryuk attack averaged at US$ 1.3 million.
From May to September of 2020, there was little Ryuk activity (if any). Nevertheless, a few notable incidents did occur earlier this year, such as the infection of a US government contractor in February. More recently, Ryuk has been observed being deployed in conjunction with the Zerologon vulnerability to encrypt whole domains in a span of a few hours.
What is happening in the new attacks targeting the healthcare industry?
While the joint advisory from the US government mentions that the healthcare sector is under increased threat from ransomware attacks, it does not have an in-depth discussion of what these attacks actually entail. However, Ryuk droppers such as TrickBot and BazarLoader, along with another ransomware family known as Conti, are mentioned in the report.
Although there are currently no mentions of any mass infections in the healthcare sector, a few organizations have reported being recently hit by ransomware attacks. On October 27, three hospitals in St. Lawrence County in New York were hit by a series of ransomware attacks described as a new variant of Ryuk. Another hospital, the Sky Lakes Medical Center, also reported being victimized by a Ryuk attack that hit their computer systems and rendered them inaccessible. Lastly, the California-based Sonoma Valley Hospital experienced a security incident, although it is still unconfirmed whether the incident involves ransomware.
What is the potential impact of these attacks?
At a time when hospitals are already under tremendous strain from the Covid-19 pandemic, a ransomware attack could lead to healthcare organizations failing to provide proper services to their patients. In fact, it is likely that the malicious actors behind these attacks are targeting the healthcare industry precisely because of the current circumstances, as the need to regain access to its system as soon as possible might make an organization more likely to pay the ransom.
Therefore, it is particularly important for hospitals and other healthcare organizations to improve the security of their systems to ensure that they are protected from ransomware and other threats.
What can be done about the ransomware attacks?
We have published a security alert with detailed mitigation steps on this page. To protect themselves, organizations are encouraged to take the following steps:
- Patch domain controllers to protect them from being exploited by the Zerologon bug, which is used to gain domain level access.
- Consider either completely disabling administrative shares or blocking access via firewall solutions. It’s important to note here that Ryuk has been found attempting to encrypt files using Windows administrative shares.
- Disable PowerShell with Group Policy, as this would add another layer of protection given the widespread use of PowerShell in malware attacks on the network.
- Always regularly back up all data (preferably by using the 3-2-1 rule) to ensure that it can still be accessed even in the event of successful ransomware encryption. The 3-2-1 rule involves keeping multiple copies of sensitive data and servers in separate and physically secure locations.
- Consider making files read-only to most users unless they need read/write permission. Furthermore, files older than a certain period (ideally three to six months) should be switched to read-only.
- For Trend Micro customers, ensure that all Trend Micro endpoint and server protection products enable and configure critical features such as Ransomware Protection, Predictive Machine Learning, and Behavior Monitoring.
- For Trend Micro Cloud One™ Workload Security and Trend Micro™ Deep Security™ customers, enable Agent Self-Protection.