Delhi: Actors using the Ryuk variant of Ransomware are targeting hospitals and other healthcare providers. Several hospitals have reported outages and ransomware attacks in recent days, though it's unclear if all incidents are Ryuk-related. The threat actors are using Trickbot (delivered via Emotet) to gain access to target systems and deploy Ryuk Ransomware.
Hospitals have become high-value targets in 2020. Cybercriminals continually develop their practices to take advantage of global events and trends, including threat actors who target the healthcare workers and hospitals currently addressing the COVID-19 pandemic.
Threat actors have made it clear- healthcare will remain a prime target for ransomware attacks, extortion demands, phishing, and whatever nefarious scheme they can use to ensure a successful payday. But just what makes the healthcare sector rife for attacks? And what prevention steps are needed to close off the flow of attacks?
Attacks reinforce an ongoing trend of ransomware actors strategically targeting victims that have less tolerance for downtime and a high incentive to pay the ransom. Healthcare providers already under stress from the COVID-19 pandemic may be in a poor position to say no when confronted with a ransomware attack that significantly degrades their ability to provide patient care. Hackers have used different ransomware platforms to target healthcare providers in multiple countries.
The Healthcare sector was the most targeted by ransomware in the US in October, with attacks increasing by 71 percent compared with September 2020. Similarly, ransomware attacks against healthcare organizations and hospitals in October increased by 36 percent as per EMEA and 33 percent as per APAC.
.A hospital in Germany was experiencing a ransomware attack and they had to turn away a patient. The patient was diverted to another hospital and ended up passing away in the ambulance. Four health care institutions have been reported to have been hit by ransomware in recent weeks, three belonging to the St. Lawrence Health System in upstate New York and the Sky Lakes Medical Center in Klamath Falls, Oregon.
Also Read: Know all about Ransomware
United Health Services, a Fortune 500 hospital and healthcare services provider in the US and UK, had managed to restore systems after a Ryuk ransomware attack in September. Many outlets have raised the alarm on ransomware, noting the sophistication of attacks and their impact on patient care.
Concernedly, however, there are serious similarities between the industry’s response to the latest alert to the initial launch of ransomware attacks on healthcare in 2016. A massive ransomware attack hit Hollywood Presbyterian Medical Center in February of that year, which drove hospital workers into EHR downtime procedures. The provider negotiated with the attackers and ended up paying only $17,000 of the initial ransom demand, but the hospital remained in downtime for several days in the wake of the attack.
COVID-19 themed attack campaigns are repurposed to leverage COVID-19 related material for:-
- Health updates
- Fake cures
- Financial packages
- Emergency benefits
- Supply shortages.
Col. Inderjeet Singh, Cyber Security Expert, Director General, Cyber Security Association of India is explaining how cybercriminals use Ryuk Ransomware.
- The cybercriminals launching the attacks use a strain of ransomware known as Ryuk Ransomware, which is seeded through a network of zombie computers called Trickbot that Microsoft began trying to counter earlier in October.
- U.S. Cyber Command has also reportedly taken action against Trickbot. While Microsoft has had considerable success knocking its command-and-control servers offline through legal action, cybercriminals have been standing up additional infrastructure to purvey Ryuk Ransomware over the past 30 days.
- The campaign uses email lures to deploy Emotet as the initial stage. Once infected with Emotet, Trickbot is loaded onto the compromised system. The threat actors then use Trickbot to gain access to high-value targets (such as domain controllers) and deploy Ryuk ransomware across the network.
- The email lures often masquerade as corporate communications and link to a compromised site hosting Emotet. Many of the emails include recipient-specific information such as the name of the employer in the subject line or email body.
- Ryuk Ransomware actors use techniques common to other sophisticated, human-operated ransomware operations.
- After gaining an initial foothold in an organization, attackers will quickly map the network in order to enumerate the environment to understand the scope of the infection.
Col. Inderjeet explained, "Such activity relies on common administrative tools rather than malicious toolkits in order to blend in. Native utilities like Net View, Net Computers, and Ping to identify network shares, Active Directory domain controllers, and other IT assets of interest. Tools like PowerShell, Remote Desktop Protocol (RDP), Windows Management Instrumentation (WMI), and Windows Remote Management are used to move laterally from their initial point of entry to higher-value IT assets such as domain controllers."
- Once there, dual-use toolkits like Mimikatz (Credential Harvesting Tool), PowerShell Empire, and Cobalt Strike enable credential theft and lateral movement: grabbing clear text passwords or password hash values from memory (Mimikatz), drop malware, log keystrokes and establish back-channel command and control channels (Cobalt Strike), forge Kerberos tickets, and more.
- Ryuk ransomware gang’s use of Domain Name System (DNS) to further their attack. Specifically, attackers are using a new Trickbot module dubbed Anchor_DNS that enables DNS tunneling to send commands to and from infected hosts.
- Encrypted DNS traffic is used to send and receive C2 traffic, making it difficult to discern from ordinary network traffic.
- Ryuk campaign uses DNS as the control plane to execute PowerShell command scripts that lay at the heart of the attack.
- All security pros know that DNS serves as the main control plane by which most adversaries send commands to compromised machines as described in the MITRE ATT&CK framework.
- But more significantly, this campaign shows that adversaries are exploiting DNS for data exfiltration, which follows the path of other malware campaigns focused around the retail point of sale campaigns.
- Organizations rarely focus on DNS, preferring to use next-generation firewalls and other security platforms to focus on HTTP and email. Anchor_dns avoids those platforms by focusing on DNS as a means to smuggle out data undetected, knowing that most traditional security platforms lack the means to differentiate between legitimate and malicious DNS requests.
Col Inderjeet further added," Indications are that the criminal group behind Ryuk Ransomware was demanding ransoms well above $10 million per target and that criminals involved on the dark web were discussing plans to try to infect more than 400 hospitals, clinics, and other medical facilities. Ransomware operators are becoming increasingly aggressive, and in 2021 we expect to see attackers to be returning with more demands or publicly embarrassing an organization."
How to protect against ransomware attacks:
Organizations should review their business continuity and disaster recovery plans and take immediate steps to close avenues of opportunity for gangs like Ryuk. These steps include:
You can follow Col. Inderjeet on twitter @inderbarara, insta:inderbarara
Also Read: How Artificial Intelligence Transforms Your Workplace
(ETV Bharat)
