U.S. federal authorities are warning healthcare systems of a spike in ransomware attacks against hospitals and healthcare systems
The joint warning from the U.S. Cybersecurity and Infrastructure Agency, FBI and Department of Health and Human Services says malicious cyber actors are targeting the healthcare sector with Trickbot malware, leading to ransomware attacks, data theft and the disruption of critical healthcare services.
“CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers,” the agencies said in the advisory. “CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.”
With the ongoing COVID-19 pandemic, protecting against these attacks is especially important so healthcare providers and other frontline healthcare workers can continue to fight the disease.
In particular, the agencies say the cybercriminal enterprise behind the Trickbot malware has developed new tools that optimize malicious cyber activities and include deploying ransomware like Ryuk, which first appeared in 2018.
Here’s how cybercriminals are deploying the ransomware, according to the agencies:
Typically Ryuk has been deployed as a payload from banking Trojans such as Trickbot. (See the United Kingdom (UK) National Cyber Security Centre (NCSC) advisory, Ryuk Ransomware Targeting Organisations Globally, on their ongoing investigation into global Ryuk ransomware campaigns and associated Emotet and TrickBot malware.) Ryuk first appeared in August 2018 as a derivative of Hermes 2.1 ransomware, which first emerged in late 2017 and was available for sale on the open market as of August 2018. Ryuk still retains some aspects of the Hermes code. For example, all of the files encrypted by Ryuk contain the HERMES tag but, in some infections, the files have .ryk added to the filename, while others do not. In other parts of the ransomware code, Ryuk has removed or replaced features of Hermes, such as the restriction against targeting specific Eurasia-based systems.
While negotiating the victim network, Ryuk actors will commonly use commercial off-the-shelf products—such as Cobalt Strike and PowerShell Empire—in order to steal credentials. Both frameworks are very robust and are highly effective dual-purpose tools, allowing actors to dump clear text passwords or hash values from memory with the use of Mimikatz. This allows the actors to inject malicious dynamic-link library into memory with read, write, and execute permissions. In order to maintain persistence in the victim environment, Ryuk actors have been known to use scheduled tasks and service creation.
Ryuk actors will quickly map the network in order to enumerate the environment to understand the scope of the infection. In order to limit suspicious activity and possible detection, the actors choose to live off the land and, if possible, use native tools—such as net view, net computers, and ping—to locate mapped network shares, domain controllers, and active directory. In order to move laterally throughout the network, the group relies on native tools, such as PowerShell, Windows Management Instrumentation (WMI), Windows Remote Management , and Remote Desktop Protocol (RDP). The group also uses third-party tools, such as Bloodhound.
Once dropped, Ryuk uses AES-256 to encrypt files and an RSA public key to encrypt the AES key. The Ryuk dropper drops a .bat file that attempts to delete all backup files and Volume Shadow Copies (automatic backup snapshots made by Windows), preventing the victim from recovering encrypted files without the decryption program.
In addition, the attackers will attempt to shut down or uninstall security applications on the victim systems that might prevent the ransomware from executing. Normally this is done via a script, but if that fails, the attackers are capable of manually removing the applications that could stop the attack. The RyukReadMe file placed on the system after encryption provides either one or two email addresses, using the end-to-end encrypted email provider Protonmail, through which the victim can contact the attacker(s). While earlier versions provide a ransom amount in the initial notifications, Ryuk users are now designating a ransom amount only after the victim makes contact.
The victim is told how much to pay to a specified Bitcoin wallet for the decryptor and is provided a sample decryption of two files.
The agencies are advising organizations to observe cybersecurity best practices, like regular updating and patching software, regularly changing passwords, multi-factor authentication, regularly backup data, implement a data recovery plan, disable unused remote access ports and regular monitoring of the network to look for indications of compromise.
For healthcare-specific mitigations, the agencies recommend joining a healthcare information sharing organization and engage the agencies through the HHS Health Sector Cybersecurity Coordination Center.
For more details on how to prevent these attacks and indications of a compromise, read the advisory here.