Advisory Overview
The SKOUT Security Operation Center is closely following the increase of ransomware activity targeting the healthcare sector. Threat actors are infecting critical healthcare providers/facilities networks with the ransomware variant, Ryuk. A successful attack could disable critical healthcare infrastructure as well as expose sensitive data including patient health records. SKOUT has observed this ransomware traditionally be delivered through emails with malicious attachments (i.e. macro-enabled documents) and/or vulnerable external assets. As such, users should be extra cautious when viewing links, attachments, or emails from unknown or unexpected senders and emails. Additionally, it is important to ensure vulnerabilities are patched and security updates are applied to help prevent attacks from known exploits.
Technical detail and additional information
What is the threat?
There has been a major uptick in Ryuk ransomware activity against the healthcare and public health sector. Ryuk first emerged back in 2018 and has been widely attributed by North Korean threat actors. Typically, Ryuk has been deployed in correspondence with banking trojans such as Trickbot. Many threat actors utilize off-the-shelf products such as Cobalt Strike, PowerShell Empire, Mimi Katz, and Bloodhound which are all hacking tools used to complete the enumeration/escalation phase allowing threat actors to move across a target’s environment and maintain persistence. Once the ransomware is able to successfully move laterally throughout the network Ryuk encrypts files, deletes all backups/shadow copies, and places a RyukReadMe file in which the victims are demanded to pay a specific amount to a bitcoin wallet to obtain a decryptor.
Why is this noteworthy?
Ransomware and other cyber-attacks have seen a sharp rise this year, and healthcare facilities have been particularly targeted since the start of the global pandemic. Successful intrusion and deployment of ransomware against a healthcare provider can have a major impact on both the IT infrastructure as well as patients receiving care. Not only will sensitive information be stolen and a large amount of funds be lost to pay bail but patients may experience prolong wait times or be forced to switch healthcare providers if they are in a life-threatening condition as ransomware generally takes down critical systems. It is important that advanced endpoint protection is in place, proper security awareness training is given to employees, MFA is enabled, and backups are readily available.
What is the exposure or risk?
There are two major risks associated with ransomware activity targeting the healthcare sector. In most cases ransomware is deployed behind mainly financial motives, however; as Ryuk is specifically targeting healthcare organizations that carry sensitive patient information, there is a major risk with the contents of stolen information. Potential theft of patient data could have major legal repercussions and cause indefinable financial damage. Additionally, if sensitive/critical devices are compromised in the healthcare sector this will surely slow down the efforts of fighting against the COVID pandemic. Phishing emails are the main technique that an attacker will use to gain a point of entry into an organization’s environment, usually getting a user to click on an infected macro-enabled document that can be downloaded to infect a system.
What are the recommendations?
It is highly recommended that your organization maintain a healthy security posture by following the best practices below:
- Employ the use of EDR applications, such as SKOUT Endpoint detection to ensure malware is quarantined pre-execution.
- Have a data backup and recovery plan in place for any mission-critical information and have the most critical information stored isolated from the network. Regularly test these backups to ensure they function correctly and gauge their performance in the event of a real crisis.
- Ensure your systems are updated with the latest security patches.
- Educate employees on the common vectors for phishing, which is the most common source of ransomware.
- Audit user permissions and practice the principle of least privilege, ensuring only necessary access for each user.
- Have a strong password policy in place, possibly implementing multi-factor authentication (MFA) if possible.
At SKOUT we are actively updating our threat intelligence with Indicators of Compromise (IOCs) for the ransomware variant Ryuk based on threat intelligence reports from public sector, private sector, and community-based threat intelligence researchers. For our partners, our SOC has developed custom detection mechanisms within our security monitoring platform to identify indicators of compromise for this specific threat.
References:
For more in-depth information about the recommendations, please visit the following links:
- https://us-cert.cisa.gov/ncas/alerts/aa20-302a
- https://www.cisa.gov/publication/ransomware-guide
- https://us-cert.cisa.gov/ncas/alerts/aa20-302a
If you have any questions, please contact our Security Operations Center.