According to U.S. government cybersecurity experts, Ryuk ransomware and Trickbot operators are targeting U.S. hospitals and healthcare providers.
The new joint security alert was published by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the Department of Health and Human Services (HHS).
“CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers,” the alert stated.
Two key findings were included in the report:
- Malicious cyber actors are targeting the Healthcare and Public Health Sector (HPH) with Trickbot malware — “often leading to ransomware attacks, data theft, and the disruption of healthcare services.”
- Organizations have ongoing challenge in balancing the risk of these malware threats and operating within COVID-19 pandemic.
Trickbot threat
Trickbot traces its roots back to 2016 as a modular banking trojan designed to steal information and distribute other malware to infected systems.
Bad actors typically delivered Trickbot via email campaigns based on current events (such as COVID-19) or financial incentives to trick users into opening up malicious file attachments (such as Word or Excel macro-enabled docs).
Readers may remember Microsoft helped take down Trickbot infrastructure earlier this month. However, cyber actors stood up new Trickbot command-and-control infrastructure and domains days later.
According to the report, Trickbot activities have evolved over the years into credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and the deployment of ransomware, such as Ryuk.
In addition, the Trickbot modules added in early 2019 a new tool, Anchor_DNS, used to send/receive data from target systems using Domain Name System (DNS) tunneling.
Ryuk Ransomware
Historically, Ryuk ransomware has been deployed as a payload via banking trojans such as Trickbot or Emotet.
Last October, Austrialian cybersecurity experts spotted multiple successful Emotet infections within Australia, one that led to Ryuk ransomware attacks on the Victorian health sector.
Just last month, Universal Health Services (UHS) hospitals was allegedly hit by a Ryuk ransomware cyberattack.
“Once dropped, Ryuk uses AES-256 to encrypt files and an RSA public key to encrypt the AES key. The Ryuk dropper drops a .bat file that attempts to delete all backup files and Volume Shadow Copies (automatic backup snapshots made by Windows), preventing the victim from recovering encrypted files without the decryption program,” the CISA report noted.
In addition, the Ryuk actors will attempt to disable or remove security applications running on victim systems in order to allow ransomware to execute.
Finally, the experts from CISA, FBI, and HHS provided solid safeguard recommendations to include network, ransomware and user awareness best practices for organizations.