The Healthcare sector (often known as Healthcare and Public Health, or HPH) is currently under an all-out cyber-attack, again focused on hospitals and ransomware gangs of cybercriminals.
Actors using the Ryuk variant of ransomware are targeting hospitals and other healthcare providers. Several hospitals have reported outages and ransomware attacks in recent days, though it's unclear if all incidents are Ryuk-related. For example, Sky Lakes Medical Center in Klamath Falls, Oregon, said in a statement that it was hit by a ransomware attack on Wednesday.
On October 28, 2020, the FBI, HHS, and CISA jointly reported on an imminent threat to healthcare organizations (the Health and Public Health Sector) surrounding the Ryuk variant of ransomware and other malware most recently seen accompanying it. In a joint release, these agencies warned that they had “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.” The joint alert went on to say that malicious groups are targeting the sector with attacks that produce “data theft and disruption of healthcare services.”
These cyber-attacks all involve ransomware, a form of malicious software or malware, designed to deny access to a computer system or data until a ransom is paid and a decryption key (commonly called a decryptor) is given to the victim. The encryption is unbreakable without the decryption key. Ransomware can spread in multiple ways, but most typically, through phishing emails or by unknowingly visiting an infected website. Ransomware can be catastrophic to healthcare and other organizations, preventing critical information and systems for patient care from being accessed, for example.
This offensive, thought to be from a Russian-speaking criminal gang, coincides with the U.S. presidential election and recent spike in COVID-19 cases, but immediate indication is that they are motivated solely by profit. “We are experiencing the most significant cyber security threat we’ve ever seen in the United States,” said Charles Carmakal, chief technical officer of the cybersecurity firm Mandiant, in a statement.
The cybercriminals launching the attacks use a strain of ransomware known as Ryuk, which is seeded through a network of zombie computers called Trickbot that Microsoft began trying to counter earlier in October. U.S. Cyber Command has also reportedly taken action against Trickbot. While Microsoft has had considerable success knocking its command-and-control servers offline through legal action, cybercriminals have been standing up additional infrastructure to purvey Ryuk over the past 30 days.
Indications are that the criminal group behind Ryuk was demanding ransoms well above $10 million per target and that criminals involved on the dark web were discussing plans to try to infect more than 400 hospitals, clinics, and other medical facilities.
ConvergeOne never advocates paying the ransom to cybercriminals.
Here is some sound guidance to follow:
Verify you have sound backups of your data and that at least one copy is offline, air-gapped, and tested for recoverability. You will not have time to test every single system, so focus on “crown-jewel” assets: those carrying patient data, those carrying key system data like blood supplies, refrigeration unit contents, medical dosages, medical grade oxygen supply levels, etc.
Understand what processes you can do with pen and paper, if needed. Place large writing tablets or whiteboards in your largest open-but-still-private room or area. You may need them later to give instructions to staff.
Understand that if you are victimized, and have recoverable backups of your data, you will need to rebuild affected systems from scratch. This malware is blended, meaning there are many elements to it. Just defending against the ransomware part does not mean that all parts have been defended against.
We often see Remote Access Trojans (i.e., a RAT) included with ransomware that are hard to locate and eradicate. A RAT is malware that includes a back door for administrative control over the target systems. RATs are usually downloaded invisibly with other malware, like ransomware. Once the host system is compromised, the intruder may use it to distribute RATs to other vulnerable computers and establish a botnet or use it as a future entry point even after the ransomware portion of the payload has been thwarted.
Immediately ensure you have an accurate asset inventory of all systems, user-based and servers, and add them immediately to your monitoring systems (if they’re not already there). Attackers will use reconnaissance and data collection means to attack devices they believe you are not monitoring. You also need an application dependency map. Just because you have a set of backups does not mean they can be restored in any order. Generally, infrastructure-related utilities like Active Directory and DNS need to be restored first before web, application, and database servers are brought online.
Check logs and data loss prevention systems seeking unusual activity and indicators of compromise (IOCs).
Those IOCs may be found here: See AA20-302A.stix. For additional IOCs detailing this activity, see here.
Lastly, if the ransomware gang tells you they have your data or credentials, believe them. They don't bluff that often. Do not panic. Call us for more information or if you need incident response help. Note, multiple attacks across the US are likely, so the free resources that exist for Incident Response help may be overwhelmed when you need their assistance.
Please contact us via your ConvergeOne National Account Manager or email jvigorito@convergeone.com and cripkey@convergeone.com (send to both simultaneously).
Further, we can assist with the following:
Ways we can detect Ryuk:
Finally, Chris Ripkey and Joe Vigorito delivered this webinar on October 27, one day before the joint release. It contains a wealth of helpful details and is now available on-demand.
Lastly, note that CISA director Chris Krebs tweeted out a warning to go along with the advisory posting.
"Healthcare and Public Health sector partners - shields up! Assume Ryuk is inside the house. Executives - be ready to activate business continuity and disaster recovery plans. IT sec teams - patch, MFA, check logs, make sure you have a good backup point," he said.
Please take this information about these attacks very seriously, follow the guidance in this post, and get help wherever necessary. The purveyors of these attacks are criminals, pure and simple, and they have no remorse for their actions.
We at ConvergeOne are here to help.