On October 28, 2020, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) issued an urgent warning describing the tactics, techniques, and procedures being used by cybercriminals attacking the US Healthcare system.
The warning largely addresses the use of Ryuk ransomware. Since 2016, the cybercriminal enterprise behind Trickbot malware has continually developed new functionality and tools, increasing the ease, speed, and profitability of their attacks. Among capabilities like credential harvesting and mail exfiltration, Trickbot also enables ransomware, such as Ryuk.
What Does Ryuk Ransomware Do?
Ryuk is a crypto-ransomware that uses encryption to disable access to a system, device, or files until a ransom is paid. Ryuk demands Bitcoin cryptocurrency payment and directs victims to deposit the ransom in a specific Bitcoin wallet. Typically, the established ransom is between 15-50 Bitcoins, which is approximately $100,000-$500,000. After infiltrating a system, Ryuk spreads through the network using PsExec or Group Policy, infecting as many endpoints as possible. The malware will then encrypt these files and systems, often explicitly targeting and encrypting backups—the very backups healthcare organizations rely on to restore their systems if attacked.
Insights from the US Infrastructure & Cybersecurity Agency
As outlined in the CISA alert, Ryuk actors will commonly use commercial off-the-shelf products—such as Cobalt Strike and PowerShell Empire—to steal credentials. Both frameworks are very robust and are highly effective dual-purpose tools, allowing actors to dump clear text passwords or hash values from memory using Mimikatz. This allows the actors to inject the malicious dynamic-link library into memory with read, write, and execute permissions. To maintain persistence in the victim environment, Ryuk actors have been known to use scheduled tasks and service creation.
Ryuk actors will quickly map the network to enumerate the environment to understand the scope of the infection. To limit suspicious activity and possible detection, the actors choose to live off the land and, if possible, use native tools—such as net view, net computers, and ping—to locate mapped network shares, domain controllers, and active directory. The group relies on native tools, such as PowerShell, Windows Management Instrumentation (WMI), Windows Remote Management, and Remote Desktop Protocol (RDP) to move laterally throughout the network. The group also uses third-party tools, such as Bloodhound.
Once dropped, Ryuk uses AES-256 to encrypt files and an RSA public key to encrypt the AES key. The Ryuk dropper drops a .bat file that attempts to delete all backup files and Volume Shadow Copies (automatic backup snapshots made by Windows), preventing the victim from recovering encrypted files without the decryption program.
The attackers will also attempt to shut down or uninstall security applications on the victim systems that might prevent the ransomware from executing. Usually, this is done via a script, but if that fails, the attackers can manually remove the applications that could stop the attack. The RyukReadMe file placed on the system after encryption provides either one or two email addresses, using the end-to-end encrypted email provider Protonmail, through which the victim can contact the attacker(s). While earlier versions provide a ransom amount in the initial notifications, Ryuk users are now designating a ransom amount only after the victim makes contact.
Healthcare organizations are prime targets for cybercriminals. The value of the data held by medical practices makes them highly vulnerable to data theft. Additionally, as we see with the Ryuk attacks, the urgency and the importance of the work performed by healthcare organizations make them prime victims for ransomware attacks.
Cyberattacks on small and large healthcare organizations alike cost hundreds of thousands to millions of dollars. Even more alarmingly, these attacks are risking human life. For example, the attack on UHS this fall canceled surgeries and diverted ambulances.
Attacks on healthcare organizations are now persistent and increasingly sophisticated, requiring a wide range of tools and expertise medical organizations often do not have. SilverSky is entirely dedicated to protecting our clients’ organizations around-the-clock and with the latest tools, like Managed Endpoint Detection and Response, and expertise. Please contact us if we can help.