WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 18, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
On 28 Oct 2020, in response to large-scale and coordinated attacks by ransomware operators targeting United States-based healthcare services, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) released a joint cybersecurity advisory describing threat details and mitigations regarding the evolving Ryuk ransomware campaign. The report also stated that ransomware operators are actively targeting the healthcare and public health sectors, primarily by leveraging TrickBot malware to deploy Ryuk ransomware.
Given the nature of the attacks and their potential impact on healthcare organizations, Digital Shadows (now ReliaQuest) is exploring the following areas:
We will continue to update this blog as related events unfold, so be sure to check back.
On 27 September 2020, Universal Health Services (UHS) was reportedly affected by a ransomware incident. UHS operates 400 healthcare facilities across the US and the UK, although reporting seemed to indicate that only US-based hospitals were affected. Throughout the attack, cyber adversaries disabled multiple antivirus programs and renamed files to contain the “.ryk” extension, characteristics of the Ryuk ransomware variant. The attack forced laboratory results to be delivered by courier, which reportedly resulted in four individuals’ death.
Reports released this week say that Ryuk ransomware has affected at least six hospitals in the United States throughout their coordinated attack, which has disrupted patient care processes and can ultimately lead to loss of life. Most recently, Ryuk has reportedly affected Sky Lakes Medical Center (Oregon) on 27 October, St. Lawrence Health System (New York) on 27 October, Sonoma Valley Hospital (California) on 27 October, University of Vermont Health Network on 22 October, and Ridgeview Medical Center (Minnesota), which was reported on 26 October. Currently, only St. Lawrence Health System has attributed the attack to Ryuk ransomware.
Ryuk ransomware operators primarily leverage spearphishing emails that contain malware-laced attachments to gain initial access to victim networks. Throughout their attack, Ryuk operators have used commercial off-the-shelf (COTS) products, such as Cobalt Strike and PowerShell Empire. Both of which are used to steal credentials and eventually dump collected passwords from memory via Mimikatz. To enumerate the environment and identify the extent of the infection, Ryuk actors perform network mapping. If possible, Ryuk operators attempt to evade detection by living off the land (LoTL), uncovering mapped network shares, domain controllers, and active directories. Throughout this process, the attackers primarily rely on PowerShell, Windows Management Instrumentation (WMI), and Remote Desktop Protocol (RDP) to move laterally across the victim network.
Recent reports claim that Ryuk operators have started leveraging the Zerologon vulnerability (CVE-2020-1472), which enables unauthenticated attackers to obtain domain controller (DC) access, ultimately compromising all Active Directory (AD) identity services. By utilizing the Zerologon vulnerability, the Ryuk ransomware operators no longer need to target high-privilege users with the initial phishing emails; targeting lower-level users with standard privileges can grant the threat actors enough access to launch an attack on the network.
Upon deployment, Ryuk encrypts system files and attempts to remove all backup files and Volume Shadow Copies, hindering their victim’s ability to restore system files without the decryption program. The group additionally scans for and attempts to uninstall security applications that may prevent ransomware execution. After systems have been successfully encrypted, Ryuk communicates their ransom amount and Bitcoin (BTC) wallet address.
More information on Ryuk’s indicators of compromise (IOCs) can be found here.
The nature of health services and timeliness of patient care requires health systems to have the ability to quickly and succinctly distribute information. Although seemingly a positive characteristic of healthcare networks, there are some unfortunate consequences of a network compromise. Interconnectivity allows for network infections, especially in ransomware encryption cases, to be wide-spread and impactful. The possibility of a wide-spread infection increases the impact of an attack and results in a higher likelihood of ransom payment.
Maintaining a secure environment in healthcare remains challenging due to many connected devices, the length of time that those devices will be deployed, the difficulty of large-scale asset management, and the dependency on Operational Technology for some devices involved in direct patient care.
Healthcare organizations generally maintain an expansive attack surface, enabling attackers to exploit unpatched vulnerabilities. Vulnerability exploitation will likely continue to be used as a method of attack against healthcare organizations. Additionally, it is almost certain that spearphishing will continue to be used to carry out attacks on healthcare organizations due to the potential return-on-investment that can be obtained through targeted social engineering campaigns.
Throughout the entire year of 2019, Digital Shadows (now ReliaQuest) published 13 intelligence alerts involving ransomware and healthcare. Comparatively, from January to October 2020, Digital Shadows (now ReliaQuest) has published 56 intelligence alerts involving ransomware and healthcare since the beginning of 2020, increasing 330%. Evidence suggests that this trend is going to continue well into 2021.
Given the nature of the recent ransomware attacks, the impacts they have on healthcare organizations, and the realistic potential for significant financial gain, Ryuk ransomware operators will likely continue conducting attacks against healthcare organizations in the United States in the immediate to short-term future.
As this series of events continue to unfold, Digital Shadows (now ReliaQuest) will update accordingly.
The majority of an organization’s planning should occur before a ransomware attack. Steps to be considered when planning for a possible ransomware attack include identifying what kind of information is stored on backups, how they’re stored, and if reverting to backups is feasible during an incident; conducting cybersecurity risk analysis; training staff on cybersecurity best practices; and performing penetration testing to evaluate system security and fortify defenses. Common ransomware infection and attack vectors include distributing weaponized attachments via phishing and targeting remote desktop protocol (RDP). Restricting RDP behind an RDP Gateway and enabling Network Level Authentication can provide security benefits if RDP is required to be Internet-facing. Organizations should prioritize patching based on the impact a vulnerability has on organization data, the types of systems that are impacted, the number of systems that are affected, the access level required to exploit the vulnerability, and how widely known the vulnerability is. Last but not least, organizations should create a robust security awareness program that trains employees to identify malicious emails and report them to an incident response authority.
While the risks affecting the healthcare industry is complex and dynamic, Digital Shadows (now ReliaQuest) recommends implementing the following mitigation strategies to protect organizations’ data, assets, and reputation: