FBI, HHS, CISA Warn: Ryuk Ransomware Attacks on Healthcare

On Wednesday, October 28th, 2020, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) issued an alert (AA20-302A). This advisory describes the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health Sector (HPH) to infect systems with Ryuk ransomware for financial gain. CISA, FBI, and HHS have shared this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats. They also recommend not paying any ransom as it does not ensure data is decrypted or that systems or data will no longer be compromised.

COVID Criminals are Active

This alert comes on the heels of Microsoft’s recent disruption of the Trickbot botnet - a network of servers and infected devices run by organizations responsible for a wide range of nefarious activity including the distribution of ransomware, which can lock up computer systems. Other high profile incidents, such as this recent attack on a hospital based in Germany that resulted in loss of life, are believed to be by the same group carrying out the techniques highlighted in the alert. Successes such as these no doubt lead bad actors to continue to focus their efforts with the hope of repeat successes. With healthcare resources already strained due to the current pandemic situation, bad actors that are ever-focused on growing their gains through ransom-based attacks, strike at points and times of weakness and with zero care for the impact to human lives or livelihoods.

Key Findings in Advisory

  • CISA, FBI, and HHS assess malicious cyber actors are targeting the HPH Sector with Trickbot malware, often leading to ransomware attacks, data theft, and the disruption of healthcare services.
  • These issues will be particularly challenging for organizations within the COVID-19 pandemic; therefore, administrators will need to balance this risk when determining their cybersecurity investments.

Attacks associated with Trickbot and Ryuk typically start with a malicious email and lead to the installation of Emotet and/or Trickbot. Trickbot enables the attack to move laterally through the environment, shuts down protection measures (e.g. AV), finds and steals sensitive information, and more, including the dissemination of ransomware such as Ryuk. Ryuk uses the "plumbing" established by Trickbot to encrypt and invoke the ransom process with as much of an impact as possible.

Trickbot was initially known as a banking malware when first observed.  However, Trickbot also ‘features’ a modular trojan, with modules being regularly developed to enhance its capabilities and effectiveness. As a result, corresponding attacks continue to evolve. All Trickbot infected devices are added to the Trickbot botnet, further growing its overall strength. Unfortunately, this latest wave of attacks seems to show that the bad actors have been able to, at least temporarily, recover their capabilities post-disruption. 

How Our Technology Helps Our Customers Detect Ryuk Activity?

We track and identify exploits in real-time by analyzing specific communications patterns and signatures from vulnerabilities such as Zerologon which was identified as used to escalate privileges in a Ryuk attack. In this specific attack, the bad actors were able to go from a phishing email to domain-wide ransomware in just 5 hours. This exemplifies the severity of exploitation of the CVE-2020-1472 vulnerability which appears to be the common denominator amongst these escalating ransomware attacks. Armis proactively detects attributes of this exploitation using our Threat Engine capabilities. Armis can detect command and control channels, and use threat intelligence feeds such as databases of known malicious domains like those associated with Ryuk to determine anomalous behavior. Armis was specifically designed to detect such things, as all such malware connects through command and control systems. Additionally, our Device Knowledgebase and understanding of threats means that attacks detected in real time in any environment around the world, are reflected as risks and more advanced & accurate threat models for everyone. This means that we become smarter with every exploit and use of malware out there, for the benefit of all of our customers. Lastly, Armis can detect antivirus that is shut down or not operating, which is a telltale sign for this malware and many others.

There are multiple phases of such attacks, they play out quickly across multiple types of devices - managed, unmanaged, medical, OT, and IoT - to achieve their outcomes. Armis' real-time ability to identify and prioritize risks, detect anomalous and malicious activity, and enable the ability to automatically respond (and contain) such attacks across all phases (and all forms of devices) beyond the initial malicious email is where we help customers manage such risks both proactively and reactively. With Armis, you can query on numerous variables, including specific vulnerabilities or CVEs.

Searching for CVE-2020-1472
Searching for CVE-2020-1472
With CVEs, you can identify more details around the vulnerability from within the console.

CVE Detail Screen
CVE Detail Screen
Armis does provide the ability to identify all vulnerabilities associated with a specific vulnerability, as we see below.

Vulnerable Devices
Vulnerable Devices

What Should Healthcare Organizations Do Immediately? 

As healthcare operations consider the current risk and downstream risk reduction efforts, security teams need to determine the following:

  • Quickly gain an understanding of what is in your environment, particularly devices that are Domain Controllers, and ascertain which are vulnerable to CVE-2020-1472.
  • Identify anomalous behaviors such as unusual communication volumes, communication during unexpected hours, or connections to unexpected hosts.
  • Leverage threat intelligence to monitor for communication to known-malicious domains.
  • Mitigate the threat by using least-privilege policies and blocking or segmenting devices where possible.
  • Patch as quickly as change control processes will permit.

Consider also the fact that in addition to traditional devices such as laptops and servers, many medical devices also run versions of Linux or Windows that may contain other exploitable vulnerabilities such as URGENT/11. Attacks often begin by targeting users and their devices, so efforts should begin with ensuring that all devices being used by staff and contractors on healthcare networks are protected by modern, up-to-date, endpoint protection capabilities. Equally important are efforts that must include the ability to continuously assess and monitor for risks and signs of attacks moving laterally. These attacks may impact not only traditional IT endpoints, but possibly medical devices as well. For a full list of recommendations, please see the full advisory.

If you’d like a Ryuk Vulnerability assessment, please feel free to contact us here.

Have our blog posts sent to your inbox.