The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) have released a joint advisory warning the healthcare sector to beef up their security systems. Cybercriminals have been unleashing a wave of ransomware attacks and data theft attempts that severely disrupt healthcare services.
Increasing and Imminent Threat
CISA, FBI, and HHS state that they have “credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers”. In 2020 alone, dozens of US healthcare providers have been impacted by ransomware, disrupting patient care at hundreds of different facilities.
At least four healthcare centers in the US suffered a ransomware attack this week. On Tuesday, three hospitals of the St. Lawrence Health Systems group in upstate New York were severely affected. They had to divert ambulances and move to offline documentation methods because their computers were hit by a computer virus. Also on Tuesday, Sky Lakes Medical Center and Sky Lakes Outpatient Pharmacy in Oregon had their computers knocked offline. Emergency care remained available, but communications with the medical center was complicated for the rest of the day.
Patient or employee data does not appear to have been compromised in either of these attacks. However, in some cases, like the recent extortion case of a Finnish therapy center, cybercriminals hold on to stolen data for months or even years.
Unknown Version of Ryuk Ransomware
The virus is believed to be a previously unknown version of Ryuk ransomware. This is the same virus that hit Universal Health Services’ hospital chain only a month ago. Ruyk is distributed through a network of hijacked computing devices known as the Trickbot botnet. This notorious piece of malware started out in 2016 as a banking trojan, but has since evolved to a dangerous and adaptable form of malware.
Microsoft, ESET and others managed to knock several Trickbot command-and-control (C2) servers offline earlier this month. However, Trickbot apparently survived the disruption and is quickly expanding their network, infecting an increasing number of systems with Ryuk ransomware for financial gain.
The CISA, FBI, and HHS’s joint report describes the tactics, techniques, and procedures Russian-speaking cybercriminals alledgedly use against targets in the healthcare and public health sectors. Unfortunately, with the Covid-19 pandemic still raging, this wave of attacks could not have come at more challenging times.
Indicators of Compromise
There are several indicators a ransomware attack may be imminent once malware is successfully executed. Firstly, Trickbot copies itself as an executable file (.exe) with a randomly generated 12-character file name. According to the federal agencies’ report it places this file in a specific directory, i.e. either C:\Windows, C:\Windows\SysWOW64, or C:\Users\[Username]\AppData\Roaming.
Next, it initiates communications with the C2 server. This initially leaves several traces behind, such as infection markers in the running memory of the victim’s computer or malicious batch scripts (.bat). At the same time, however, Trickbot also deploys self-deletion techniques and uses native tools wherever possible to remain undetected. In addition, cybercriminals try to shut down or uninstall antivirus programs on the computer, as these might prevent the ransomware from executing.
Once dropped, Ryuk encrypts files and deletes all backup files it can detect. This prevents the victim from recovering encrypted files without a decryption program key. Finally, a RyukReadMe file, placed on the system after encryption, provides an email address for the victim to contact the attacker. Nowadays, cybercriminals tend to disclose the ransom amount only once the victim has made contact.
Mitigation and Best Practices
CISA, FBI, and HHS “encourage HPH Sector organizations to maintain business continuity plans to minimize service interruptions”. Other common best practices include keeping operating systems, software, and firmware up to date; implementing network segmentation; using secure passwords and regularly changing them; using multi-factor authentication where possible; and limiting privileges.
In addition, federal agencies also recommended regularly backing up data; password protecting backup copies; and retaining at least three copies of all critical data in separate, secure locations, with at least one of them being offline. Focus on awareness and training is equally important, as end users are often the targets. CISA and MS-ISAC released an updated version of their Ransomware Guide in September.
Paying ransoms is not recommended and even against the law in some states of the US. “Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.”