On 28 Oct 2020, in response to large-scale and coordinated attacks by ransomware operators targeting United States-based healthcare services, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) released a joint cybersecurity advisory describing threat details and mitigations regarding the evolving Ryuk ransomware campaign. The report also stated that ransomware operators are actively targeting the healthcare and public health sectors, primarily by leveraging TrickBot malware to deploy Ryuk ransomware. 

Given the nature of the attacks and their potential impact on healthcare organizations, Digital Shadows (now ReliaQuest) is exploring the following areas: 

  1. Previous Ryuk ransomware attacks on healthcare organizations
  2. Ryuk operators’ tactics, techniques, and procedures
  3. Risks affecting healthcare organizations
  4. What we can expect to see in the future
  5. Ransomware-specific and healthcare-specific mitigation strategies 

We will continue to update this blog as related events unfold, so be sure to check back.

Reported Ryuk ransomware attacks on healthcare organizations. 

On 27 September 2020, Universal Health Services (UHS) was reportedly affected by a ransomware incident. UHS operates 400 healthcare facilities across the US and the UK, although reporting seemed to indicate that only US-based hospitals were affected. Throughout the attack, cyber adversaries disabled multiple antivirus programs and renamed files to contain the “.ryk” extension, characteristics of the Ryuk ransomware variant. The attack forced laboratory results to be delivered by courier, which reportedly resulted in four individuals’ death. 

Reports released this week say that Ryuk ransomware has affected at least six hospitals in the United States throughout their coordinated attack, which has disrupted patient care processes and can ultimately lead to loss of life. Most recently, Ryuk has reportedly affected Sky Lakes Medical Center (Oregon) on 27 October, St. Lawrence Health System (New York) on 27 October, Sonoma Valley Hospital (California) on 27 October, University of Vermont Health Network on 22 October, and Ridgeview Medical Center (Minnesota), which was reported on 26 October. Currently, only St. Lawrence Health System has attributed the attack to Ryuk ransomware.  

Ryuk ransom note
(Ryuk ransom note, source: MalwareBytes Labs)

Ryuk operators’ tactics, techniques, and procedures.

Ryuk ransomware operators primarily leverage spearphishing emails that contain malware-laced attachments to gain initial access to victim networks. Throughout their attack, Ryuk operators have used commercial off-the-shelf (COTS) products, such as Cobalt Strike and PowerShell Empire. Both of which are used to steal credentials and eventually dump collected passwords from memory via Mimikatz. To enumerate the environment and identify the extent of the infection, Ryuk actors perform network mapping. If possible, Ryuk operators attempt to evade detection by living off the land (LoTL), uncovering mapped network shares, domain controllers, and active directories. Throughout this process, the attackers primarily rely on PowerShell, Windows Management Instrumentation (WMI), and Remote Desktop Protocol (RDP) to move laterally across the victim network.  

Recent reports claim that Ryuk operators have started leveraging the Zerologon vulnerability (CVE-2020-1472), which enables unauthenticated attackers to obtain domain controller (DC) access, ultimately compromising all Active Directory (AD) identity services. By utilizing the Zerologon vulnerability, the Ryuk ransomware operators no longer need to target high-privilege users with the initial phishing emails; targeting lower-level users with standard privileges can grant the threat actors enough access to launch an attack on the network.

Upon deployment, Ryuk encrypts system files and attempts to remove all backup files and Volume Shadow Copies, hindering their victim’s ability to restore system files without the decryption program. The group additionally scans for and attempts to uninstall security applications that may prevent ransomware execution. After systems have been successfully encrypted, Ryuk communicates their ransom amount and Bitcoin (BTC) wallet address. 

More information on Ryuk’s indicators of compromise (IOCs) can be found here

MITRE ATT&CK: Techniques used by Ryuk ransomware

T1134 Access Token Manipulation Ryuk has attempted to adjust its token privileges
T1547.001 Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder Ryuk has used the Windows command line to create a Registry and establish persistence
T1059.003 Command and Scripting Interpreter: Windows Command Shell Ryuk has used cmd.exe to create a Registry entry to establish persistence
T1486 Data Encrypted for Impact Ryuk has used a combination of symmetric (AES) and asymmetric (RSA) encryption to encrypt files. Files have been encrypted with their own AES key and given a file extension of .ryk. Encrypted directories have had a ransom note of TyukReadMe.txt written to the directory. 
T1083 File and Directory Discovery Ryuk has called GetLogicalDrives to enumerate all mounted drives and GetDriveTypeW to determine the drive type. 
T1562.001 Impair Defenses: Disable or Modify Tools Ryuk has stopped services related to anti-virus. 
T1490 Inhibit System Recovery Ryuk has used vssadmin Delete Shadows /all /quiet to delete volume shadow copies and vssadmin resize shadowstorage to force deletion of shadow copies created by third-party applications. 
T1036.005 Masquerading: Match Legitimate Name or Location Ryuk has constructed legitimate appearing installation folder paths by calling GetWindowsDirectoryW and then inserting a null byte at the fourth character of the path. 
T1106 Native API Ryuk has used multiple native APIs including ShellExecuteW to run executables, GetWindowsDirectoryW to create folders, and VirtualAlloc, WriteProcessMemory, and CreateRemoteThread for process injection. 
T1057 Process Discovery Ryuk has called CreateToolhelp32Snapshot to enumerate all running processes. 
T1055 Process Injection Ryuk has injected itself into remote processes to encrypt files using a combination of VirtualAlloc, WriteProcessMemory, and CreateRemoteThread.
T1489 Service Stop Ryuk has called kill.bat for stopping services, disabling services, and killing processes. 
T1016 System Network Configuration Discovery  Ryuk has called GetIpNetTable in an attempt to identify all mounted drives and hosts that have Address Resolution Protocol (ARP) entries. 

Risks affecting healthcare organizations.  

The nature of health services and timeliness of patient care requires health systems to have the ability to quickly and succinctly distribute information. Although seemingly a positive characteristic of healthcare networks, there are some unfortunate consequences of a network compromise. Interconnectivity allows for network infections, especially in ransomware encryption cases, to be wide-spread and impactful. The possibility of a wide-spread infection increases the impact of an attack and results in a higher likelihood of ransom payment. 

Maintaining a secure environment in healthcare remains challenging due to many connected devices, the length of time that those devices will be deployed, the difficulty of large-scale asset management, and the dependency on Operational Technology for some devices involved in direct patient care. 

Healthcare organizations generally maintain an expansive attack surface, enabling attackers to exploit unpatched vulnerabilities. Vulnerability exploitation will likely continue to be used as a method of attack against healthcare organizations. Additionally, it is almost certain that spearphishing will continue to be used to carry out attacks on healthcare organizations due to the potential return-on-investment that can be obtained through targeted social engineering campaigns. 

(Incidents affecting the healthcare industry by type, April-October 2020)

Looking forward. 

Throughout the entire year of 2019, Digital Shadows (now ReliaQuest) published 13 intelligence alerts involving ransomware and healthcare. Comparatively, from January to October 2020, Digital Shadows (now ReliaQuest) has published 56 intelligence alerts involving ransomware and healthcare since the beginning of 2020, increasing 330%. Evidence suggests that this trend is going to continue well into 2021.

Given the nature of the recent ransomware attacks, the impacts they have on healthcare organizations, and the realistic potential for significant financial gain, Ryuk ransomware operators will likely continue conducting attacks against healthcare organizations in the United States in the immediate to short-term future.

As this series of events continue to unfold, Digital Shadows (now ReliaQuest) will update accordingly. 

Mitigations strategies. 

Ransomware-specific recommendations

The majority of an organization’s planning should occur before a ransomware attack. Steps to be considered when planning for a possible ransomware attack include identifying what kind of information is stored on backups, how they’re stored, and if reverting to backups is feasible during an incident; conducting cybersecurity risk analysis; training staff on cybersecurity best practices; and performing penetration testing to evaluate system security and fortify defenses. Common ransomware infection and attack vectors include distributing weaponized attachments via phishing and targeting remote desktop protocol (RDP). Restricting RDP behind an RDP Gateway and enabling Network Level Authentication can provide security benefits if RDP is required to be Internet-facing. Organizations should prioritize patching based on the impact a vulnerability has on organization data, the types of systems that are impacted, the number of systems that are affected, the access level required to exploit the vulnerability, and how widely known the vulnerability is. Last but not least, organizations should create a robust security awareness program that trains employees to identify malicious emails and report them to an incident response authority.

Healthcare-specific recommendations

While the risks affecting the healthcare industry is complex and dynamic, Digital Shadows (now ReliaQuest) recommends implementing the following mitigation strategies to protect organizations’ data, assets, and reputation:

  • Utilize multi-factor authentication (MFA) for professional and personal accounts, remote network access, sensitive database access, and administrator accounts.
  • Enforce the use of lengthy, unique, and complex passwords for employee and patient accounts.
  • Implement a robust asset discovery and vulnerability management program for all servers, computers, networking components, and medical devices.
  • Implement Network Level Authentication on services, like Remote Desktop Protocol(RDP), turn off unnecessary services, and block sensitive ports.
  • Frequently perform and test system backups. Maintain reliable backups at an off-site location
  • Implement defense-in-depth best practices, such as integrating antivirus and anti-malware programs on servers and computers.
  • Educate individuals involved in conducting academic or medical research on what can be shared and where to share it
  • Implement the Traffic Light Protocol (TLP) to facilitate secure information sharing practices.
  • Implement and use workforce access auditing of health record systems and sensitive data.
  • Establish cyber threat information sharing with other healthcare organizations.
  • Educate employees and researchers on security awareness, including how to identify and report suspicious emails.
  • Encrypt data at rest and in transit.
  • Develop a ransomware playbook and test it regularly in tabletop exercises.
  • Do not store or send sensitive data or research via unencrypted email.
  • Maintain an updated record of organizations or individuals that store or have access to your intellectual property
  • Implement pre-procurement security requirements for vendors.
  • Store intellectual property data in segmented, monitored, and encrypted databases.
  • For all people involved in sensitive research who may have a public presence, use a different public-facing email account, which is in no way identical in form or related to the internal email account.
  • Implement centralized logging in conjunction with real-time incident alert capabilities.
  • Conduct regular security audits to identify physical- and software-related vulnerabilities.