Ransomware Activity Targeting the Healthcare and Public Health Sector

There has been an increased number of detections of Ryuk ransomware which is targeting the healthcare and public sector. This increase has been discovered by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) on the 28/10/2020.

Ransomware is malicious software that infects your computer and displays messages demanding a fee to be paid for your system to work again. This class of malware is a criminal moneymaking scheme that can be installed through deceptive links in an email message, instant message, or website. It can lock a computer screen or encrypt important, predetermined files with a password.

Ryuk ransomware uses encryption to block access to a system, device or file until a ransom is paid. Ryuk is often used in conjunction with another malware known as TrickBot which gains access through Remote Desktop Services. To have the file(s) released, Ryuk demands payment in Bitcoin. Ryuk can spread through the network using PsExec or Group Policy trying to infect as many endpoints and servers as possible. Then the malware will begin the encryption process, specifically targeting backups.

Ryuk actors will quickly map the network to understand the scope of the infection. In order to limit suspicious activity and possible detection, the actors choose to live off the land and, if possible, use native tools—such as net view, net computers, and ping - to locate mapped network shares, domain controllers, and active directory. Once dropped, Ryuk uses AES-256 to encrypt files and an RSA public key to encrypt the AES key. Ryuk will attempt to delete all backup files and Volume Shadow Copies, preventing the victim from recovering encrypted files. In addition, the attackers will attempt to shut down or uninstall security applications on the victim systems that might prevent the ransomware from executing.

Indicator of Compromise


Recommendations

In addition, Arkphire recommends the following to customers:

Below are some measures to ensure a higher level of defence against these attacks.

• First and foremost, be sure to back up your most important files on a regular basis.

Ideally, backups should be taken regularly and should be diversified so that single point of failure does not lead to loss of data. Besides, access privileges and read/write permissions should be defined so that the files are not modified. This can be validated with periodic integrity checks.

• Configure your anti-spam filters the right way.

Ransomware variants are known to spread through emails that contain contagious attachments. Blocking emails with .exe, .vbs or .scr extensions is recommended.

• Refrain from opening attachments or links that look suspicious.

Sometimes attackers try to disguise themselves as one of your acquaintances. Think twice before clicking if you think the email was not intended for you or looks suspicious.

• Patching

Patch and keep your operating system, antivirus, browsers, Adobe Flash Player, Java, and other software up to date.

• Employee Awareness Training

Train employees and make them cybersecurity aware; ensure Cyber Security training is part of onboarding process for all new employees.