author photo
By Bruce Sussman
Thu | Oct 29, 2020 | 9:38 AM PDT

With COVID-19 cases surging and hospitalizations increasing, the operators of the Ryuk ransomware smell opportunity.

Security researchers say the Ryuk gang is unleashing an unprecedented wave of ransomware attacks against U.S. hospitals, hoping to make tens of millions in ransom payments. 

The FBI and Cybersecurity and Infrastructure Security Agency (CISA) just issued a joint alert around this type of ransomware attack, calling it an "increased and imminent threat" for hospitals and healthcare providers.

Ryuk attacks on hospitals: 'unprecedented'

Here's how serious this threat from Ryuk ransomware is for the healthcare industry:

"We are experiencing the most significant cyber security threat we've ever seen in the United States," Charles Carmakal, Chief Technical Officer of Mandiant, told the Associated Press.

Alex Holden, CEO of Hold Security, notified the U.S. government of a spike in Ryuk attacks being launched against hospitals, and tells the AP that Ryuk operators are threatening much more.

He said the group was demanding ransoms above $10 million per target and that Dark Web discussions mentioned plans to try to infect more than 400 hospitals, clinics, and other medical facilities.

"One of the comments from the bad guys is that they are expecting to cause panic and, no, they are not hitting election systems," Holden said. "They are hitting where it hurts even more and they know it." 

Would hospitals pay a hefty ransom during a pandemic?

If Ryuk ransomware knocks a hospital's network offline, would it pay a ransom? The stakes are higher when the medical health issues are more serious. 

Just ask hospital CEO and president Steve Long. He paid the ransom demand after ransomware locked up his hospital's network.

Why? Hackers had hit Hancock Regional Hospital during a severe 2018 flu season. That was a major factor in the decision to pay.

"By 10:30 that night we had shut down every single computer that we had and all our servers," Long recalled about the Thursday night in January. "By midnight we successfully shut off every computer in the organization and started from scratch. It's surreal," he told CNBC.

How do Ryuk ransomware attacks operate?

The FBI and CISA alert in this case reveals more about how Ryuk ransomware attacks work.

Attacks are served up by the Trickbot delivery system, which is essentially a network of zombie computers (botnet). Microsoft recently shut off a large amount of Trickbot's infrastructure, but Ryuk operators apparently found a way around that, successfully impacting at least five U.S. hospitals in the last week.

Trickbot, by the way, started as a banking trojan. Now it deploys payloads across industry verticals.

According to the CISA alert, once a network is compromised, Ryuk operators use the following techniques to obtain additional network credentials, stay hidden, and launch the attack:

"While negotiating the victim network, Ryuk actors will commonly use commercial off-the-shelf products—such as Cobalt Strike and PowerShell Empire—in order to steal credentials. Both frameworks are very robust and are highly effective dual-purpose tools, allowing actors to dump clear text passwords or hash values from memory with the use of Mimikatz.

This allows the actors to inject malicious dynamic-link library into memory with read, write, and execute permissions. In order to maintain persistence in the victim environment, Ryuk actors have been known to use scheduled tasks and service creation.

Ryuk actors will quickly map the network in order to enumerate the environment to understand the scope of the infection. In order to limit suspicious activity and possible detection, the actors choose to live off the land and, if possible, use native tools—such as net view, net computers, and ping—to locate mapped network shares, domain controllers, and active directory.

In order to move laterally throughout the network, the group relies on native tools, such as PowerShell, Windows Management Instrumentation (WMI), Windows Remote Management , and Remote Desktop Protocol (RDP). The group also uses third-party tools, such as Bloodhound.

Once dropped, Ryuk uses AES-256 to encrypt files and an RSA public key to encrypt the AES key."

And what about your security tools? Ryuk operators spend time trying to negate those as well:

"...the attackers will attempt to shut down or uninstall security applications on the victim systems that might prevent the ransomware from executing. Normally this is done via a script, but if that fails, the attackers are capable of manually removing the applications that could stop the attack."

FBI and CISA ransomware mitigation list

The joint alert around Ryuk ransomware attacks against U.S. hospitals comes with the following best practices for mitigating the threat, regardless of your industry vertical.

  • Patch operating systems, software, and firmware as soon as manufacturers release updates.
  • Check configurations for every operating system version for HPH organization-owned assets to prevent issues from arising that local users are unable to fix due to having local administration disabled.
  • Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.
  • Use multi-factor authentication where possible.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  • Implement application and remote access allow listing to only allow systems to execute programs known and permitted by the established security policy.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Audit logs to ensure new accounts are legitimate.
  • Scan for open or listening ports and mediate those that are not needed.
  • Identify critical assets such as patient database servers, medical records, and teleheatlh and telework infrastructure; create backups of these systems and house the backups offline from the network.
  • Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.
  • Set antivirus and anti-malware solutions to automatically update; conduct regular scans.
COVID-19 cybercrime and how it is evolving

It's clear that Ryuk ransomware criminals are trying to take advantage of an urgent situation where hospitals might have to weigh the value of human life during a pandemic against a ransom demand.

And as you probably know, this is far from the only coronavirus related cyberattack we have seen. These attacks are evolving along with the pandemic. Listen to Myla Pilao of Trend Micro, where her Threat Research team tracks more than five billion threats, daily.

Tags: Ransomware,