Healthcare and Public Health Sector: Ransomware Advisory

Posted by Joe Vigorito on Nov 2, 2020 10:00:00 AM

The Healthcare sector (often known as Healthcare and Public Health, or HPH) is currently under an all-out cyber-attack, again focused on hospitals and ransomware gangs of cybercriminals.

Actors using the Ryuk variant of ransomware are targeting hospitals and other healthcare providers. Several hospitals have reported outages and ransomware attacks in recent days, though it's unclear if all incidents are Ryuk-related. For example, Sky Lakes Medical Center in Klamath Falls, Oregon, said in a statement that it was hit by a ransomware attack on Wednesday.

On October 28, 2020, the FBI, HHS, and CISA jointly reported on an imminent threat to healthcare organizations (the Health and Public Health Sector) surrounding the Ryuk variant of ransomware and other malware most recently seen accompanying it. In a joint release, these agencies warned that they had “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.” The joint alert went on to say that malicious groups are targeting the sector with attacks that produce “data theft and disruption of healthcare services.”

These cyber-attacks all involve ransomware, a form of malicious software or malware, designed to deny access to a computer system or data until a ransom is paid and a decryption key (commonly called a decryptor) is given to the victim. The encryption is unbreakable without the decryption key. Ransomware can spread in multiple ways, but most typically, through phishing emails or by unknowingly visiting an infected website. Ransomware can be catastrophic to healthcare and other organizations, preventing critical information and systems for patient care from being accessed, for example.

This offensive, thought to be from a Russian-speaking criminal gang, coincides with the U.S. presidential election and recent spike in COVID-19 cases, but immediate indication is that they are motivated solely by profit. “We are experiencing the most significant cyber security threat we’ve ever seen in the United States,” said Charles Carmakal, chief technical officer of the cybersecurity firm Mandiant, in a statement.

The cybercriminals launching the attacks use a strain of ransomware known as Ryuk, which is seeded through a network of zombie computers called Trickbot that Microsoft began trying to counter earlier in October. U.S. Cyber Command has also reportedly taken action against Trickbot. While Microsoft has had considerable success knocking its command-and-control servers offline through legal action, cybercriminals have been standing up additional infrastructure to purvey Ryuk over the past 30 days.

Indications are that the criminal group behind Ryuk was demanding ransoms well above $10 million per target and that criminals involved on the dark web were discussing plans to try to infect more than 400 hospitals, clinics, and other medical facilities.

Mitigations, Guidance, and Advice

ConvergeOne never advocates paying the ransom to cybercriminals.

Here is some sound guidance to follow:

Verify you have sound backups of your data and that at least one copy is offline, air-gapped, and tested for recoverability. You will not have time to test every single system, so focus on “crown-jewel” assets: those carrying patient data, those carrying key system data like blood supplies, refrigeration unit contents, medical dosages, medical grade oxygen supply levels, etc.

Understand what processes you can do with pen and paper, if needed. Place large writing tablets or whiteboards in your largest open-but-still-private room or area. You may need them later to give instructions to staff.

Understand that if you are victimized, and have recoverable backups of your data, you will need to rebuild affected systems from scratch. This malware is blended, meaning there are many elements to it. Just defending against the ransomware part does not mean that all parts have been defended against.

We often see Remote Access Trojans (i.e., a RAT) included with ransomware that are hard to locate and eradicate. A RAT is malware that includes a back door for administrative control over the target systems. RATs are usually downloaded invisibly with other malware, like ransomware. Once the host system is compromised, the intruder may use it to distribute RATs to other vulnerable computers and establish a botnet or use it as a future entry point even after the ransomware portion of the payload has been thwarted.

Immediately ensure you have an accurate asset inventory of all systems, user-based and servers, and add them immediately to your monitoring systems (if they’re not already there). Attackers will use reconnaissance and data collection means to attack devices they believe you are not monitoring. You also need an application dependency map. Just because you have a set of backups does not mean they can be restored in any order. Generally, infrastructure-related utilities like Active Directory and DNS need to be restored first before web, application, and database servers are brought online.

Check logs and data loss prevention systems seeking unusual activity and indicators of compromise (IOCs).

Those IOCs may be found here: See AA20-302A.stix. For additional IOCs detailing this activity, see here.

Technical Advice

  • Use DNS security and internet gateway filtering software or contact us for help in getting this set up immediately. This malware relies heavily on its ability to implant and contact a series of botnets on the internet for additional information. This security software for DNS allows this activity to be blocked, thereby making the attack become “inert.”

  • Ensure as many staff members as possible are using Multi-Factor Authentication. We have seen instances recently of password dumping being part of these attacks. You need a second mechanism to authenticate to system resources that is independent of that password. Again, ConvergeOne can assist you in the process of acquiring, setting up, and using such tools.

  • Patch operating systems, software, and firmware as soon as manufacturers release updates. Make sure all systems are current and up-to-date. Advise remote users not using HPH-owned assets to turn on auto-update and ensure they are current on software and patches, as well.

  • Remove local administration privileges if anyone has them and make an effort to have as few domain, enterprise, or desktop administrators as you can. Those with those privileges should use MFA and change those admin passwords immediately to strong random passphrases.

  • Staff should also change passwords to long (12-character entropy) random passphases, as well.

  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs, and follow system hardening guidance.

  • Implement application and remote access allow listing to only allow systems to execute programs known and permitted by the established security policy.

  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.

  • Audit logs to ensure new accounts are legitimate.

  • Conduct immediate port and vulnerability scans, prioritize results, and quickly act upon them.

  • Gain assistance doing threat hunting, look for exploits, for attackers who may have implanted themselves and are simply now learning your network, waiting for the right moment to launch their attack against specific assets.

  • Ensure you have layered Email Security with advance malware protection to block/strip ransomware delivered through spam and phishing emails.

  • Ensure you have AI/ML/Deep Learning-based endpoint software both AV and Endpoint Detection and Response. Automatically enable tools included on all endpoints, including mobile devices. These tools need to include firewall, anti-malware, encryption, and DLP, if it’s available.

  • Use advanced cyber recovery tools; ones that are offline for the backup, but online for the recovery. They exist, so please ask.

People and Process Protections

  • Ensure you are simulating phishing attacks against your users regularly to ensure they are sensitive to real approaches attackers will take. Have a continuous learning platform to deliver them. Educate staff to detect fast:
    • “I can’t open normal files and get corruption error or my files have a strange extension.”
    • “I get alarming messages indicating my computer has been infected and I cannot close them.”
    • “I see a countdown timer on-screen.”

  • Send “voice of leadership” messages to everyone containing guidance on what to look for, who to call, what to do, and that it is okay to not click or respond to any message that looks unusual or suspicious.

  • Have an incident response plan developed, walked-through, and tested with both your technical team and your administration. Have a “must-answer” line for questions about it.

  • Have a business continuity plan. Where does staff go, report, gain information, and how do you keep your facility running and care provided if you get attacked?

  • Your Security and Executive staff needs to have an incident handling hierarchy with Legal Counsel, Data Forensics/Incident Response Firm (on retainer), and Insurance Carrier (for cyber-extortion, business interruption) on speed dial on cellphones. Know how much cyber-insurance you have in a sub-limit policy for cyber-extortion. It may not be enough to cover the cost of an attack.

If you get attacked

  • Have a process in place. Disconnect or Turn off WiFi and Bluetooth. Unplug storage devices.

  • Determine scope – shared drives / folders, network storage, USB, external storage, cloud-based storage, etc.

  • Check tools in use like Box, Dropbox, and Google Drive. You may be able to revert to unencrypted versions of your files.

  • Know your backups, what is and isn’t backed up, and the order that restores much take place.

  • We do not advise paying the ransom, but if you do, you need to reconnect encrypted drives to unencrypt them.

  • Usually the ransomed will give you a registry to file listing that has been created by the ransomware listing all files encrypted. Try to use Google to understand the version of ransomware you have been hit with.

  • Determine if your data or login credentials have been copied, and if so, how much and what. This can often be learned from the ransomware program's announcement itself, as it brags as to what data has been copied or the information regarding your stolen data that the hacker posts on websites or blogs.

  • Check your logs and any data leak prevention (DLP) tools to see if it noted any stolen data. Look for large unauthorized archive (e.g., zip, arc, etc.) files that contain your data that the hacker used for staging before they copied it. Look into any systems that might record large amounts of data being copied off the network. Look for malware, tools, and scripts that might have been used to look for and steal data. The main initial sign to look for to see if your data and credentials have been stolen is the ransomware gang telling you they have done it.

Lastly, if the ransomware gang tells you they have your data or credentials, believe them. They don't bluff that often. Do not panic. Call us for more information or if you need incident response help. Note, multiple attacks across the US are likely, so the free resources that exist for Incident Response help may be overwhelmed when you need their assistance.

Please contact us via your ConvergeOne National Account Manager or email and (send to both simultaneously).

Further, we can assist with the following:

  • Health Checks
  • Training
  • IR Planning, Testing and Services (7x24, 365 days)
  • Provide licensing

Ways we can detect Ryuk:

  • Malicious file download
  • DNS recon
  • Unusual logon activity by a service account
  • Immediate pattern detected
  • Crypto activity detected

Finally, Chris Ripkey and Joe Vigorito delivered this webinar on October 27, one day before the joint release. It contains a wealth of helpful details and is now available on-demand.


Lastly, note that CISA director Chris Krebs tweeted out a warning to go along with the advisory posting.

"Healthcare and Public Health sector partners - shields up! Assume Ryuk is inside the house. Executives - be ready to activate business continuity and disaster recovery plans. IT sec teams - patch, MFA, check logs, make sure you have a good backup point," he said.

Please take this information about these attacks very seriously, follow the guidance in this post, and get help wherever necessary. The purveyors of these attacks are criminals, pure and simple, and they have no remorse for their actions.

We at ConvergeOne are here to help.

Topics: Cyber Security, Cyber Recovery, Ransomware