Ryuk ransomware - FBI Issues Urgent Cybersecurity Warning to US Healthcare System

On October 28, 2020, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) issued an urgent warning describing the tactics, techniques, and procedures being used by cybercriminals attacking the US Healthcare system.

The warning largely addresses the use of Ryuk ransomware. Since 2016, the cybercriminal enterprise behind Trickbot malware has continually developed new functionality and tools, increasing the ease, speed, and profitability of their attacks. Among capabilities like credential harvesting and mail exfiltration, Trickbot also enables ransomware, such as Ryuk.

What Does Ryuk Ransomware Do?

Ryuk is a crypto-ransomware that uses encryption to disable access to a system, device, or files until a ransom is paid. Ryuk demands Bitcoin cryptocurrency payment and directs victims to deposit the ransom in a specific Bitcoin wallet. Typically, the established ransom is between 15-50 Bitcoins, which is approximately $100,000-$500,000. After infiltrating a system, Ryuk spreads through the network using PsExec or Group Policy, infecting as many endpoints as possible. The malware will then encrypt these files and systems, often explicitly targeting and encrypting backups—the very backups healthcare organizations rely on to restore their systems if attacked.

Insights from the US Infrastructure & Cybersecurity Agency

As outlined in the CISA alert, Ryuk actors will commonly use commercial off-the-shelf products—such as Cobalt Strike and PowerShell Empire—to steal credentials. Both frameworks are very robust and are highly effective dual-purpose tools, allowing actors to dump clear text passwords or hash values from memory using Mimikatz. This allows the actors to inject the malicious dynamic-link library into memory with read, write, and execute permissions. To maintain persistence in the victim environment, Ryuk actors have been known to use scheduled tasks and service creation.

Ryuk actors will quickly map the network to enumerate the environment to understand the scope of the infection. To limit suspicious activity and possible detection, the actors choose to live off the land and, if possible, use native tools—such as net view, net computers, and ping—to locate mapped network shares, domain controllers, and active directory. The group relies on native tools, such as PowerShell, Windows Management Instrumentation (WMI), Windows Remote Management, and Remote Desktop Protocol (RDP) to move laterally throughout the network. The group also uses third-party tools, such as Bloodhound.

Once dropped, Ryuk uses AES-256 to encrypt files and an RSA public key to encrypt the AES key. The Ryuk dropper drops a .bat file that attempts to delete all backup files and Volume Shadow Copies (automatic backup snapshots made by Windows), preventing the victim from recovering encrypted files without the decryption program.

The attackers will also attempt to shut down or uninstall security applications on the victim systems that might prevent the ransomware from executing. Usually, this is done via a script, but if that fails, the attackers can manually remove the applications that could stop the attack. The RyukReadMe file placed on the system after encryption provides either one or two email addresses, using the end-to-end encrypted email provider Protonmail, through which the victim can contact the attacker(s). While earlier versions provide a ransom amount in the initial notifications, Ryuk users are now designating a ransom amount only after the victim makes contact.

Defending healthcare against phishing attacks

SilverSky Recommendations

Healthcare organizations are prime targets for cybercriminals. The value of the data held by medical practices makes them highly vulnerable to data theft. Additionally, as we see with the Ryuk attacks, the urgency and the importance of the work performed by healthcare organizations make them prime victims for ransomware attacks.

Cyberattacks on small and large healthcare organizations alike cost hundreds of thousands to millions of dollars. Even more alarmingly, these attacks are risking human life. For example, the attack on UHS this fall canceled surgeries and diverted ambulances.

Attacks on healthcare organizations are now persistent and increasingly sophisticated, requiring a wide range of tools and expertise medical organizations often do not have. SilverSky is entirely dedicated to protecting our clients’ organizations around-the-clock and with the latest tools, like Managed Endpoint Detection and Response, and expertise. Please contact us if we can help.

Managed Security Services

Your around the clock SOC.

Managed Endpoint Detection and Response

Some attacks will succeed. Don’t worry—we have you.

Managed Detection and Response

Augment your IT team using our expertise and the latest technologies.

Email Protection Suite

Defending against the leading attack vector.

Cloud Email and Collaboration

More than ever, the cloud is essential.

Incident Response Readiness

When a breach occurs, you’ll be ready.

Compliance & Risk Services

Take the next steps on your cybersecurity maturity journey.

Trusted Cybersecurity for an Uncertain World

Understand, detect, and effectively respond to threats, reduce business risk and improve the return on your security investment.

Financial Services

We comply with the same regulations you do.


Affordable defenses for a sector under attack.


SilverSky stands between cybercriminals and your customers’ data.

Benefits of a Single Vendor Relationship

The Cooperative Bank of Cape Cod found itself especially appreciative of SilverSky’s comprehensive solution set—particularly as they rapidly, but securely, enabled employees to work remotely.


Automated Cybersecurity Examination Tool


Health Insurance Portability and Accountability Act


Payment Card Industry Data Security Standard


Federal Financial Institutions Examination Council


Gramm-Leach-Bliley Act

ACET Helps Credit Unions Further Their Missions

Learn how going all in for ACET protects customers and the health of community-based financial services.


Articles, guides, ebooks, tools, on-demand webinars, case studies, and more. Explore a range of topics.

Press & Events

Press releases, upcoming conferences and trade shows, and future and on-demand webinars

Revisiting Cybersecurity’s Delicate Balance

Learn how CISOs are rebalancing prevention, detection, and response for stronger cyber defenses.

About Us

Trusted cybersecurity for an uncertain world.


Looking to join the fight against cybercriminals?

Security Management Console

Comprehensive customer portal for state of devices, reports for compliance, support tickets, and more.

Transforming Cybersecurity Culture from Corner Offices to Cubicles

Executives are increasingly thinking about cybersecurity management in a similar manner as they would any other risk assessment. This guide is here to help.