By Brian Tant
On October 29, 2020 a confidential source said that an RYUK attack against US-based hospitals and clinics was an “Increased and Imminent Cybercrime Threat.” In the days that followed, we saw the attack unfold.
What we know: This appears to be an RYUK ransomware attack being delivered through phishing attacks. Raxis recommends heightened vigilance across all attack vectors and instrumentation.
Who: The attack targets US-based hospitals, clinics, and other healthcare facilities, all of which should be on heightened alert for Indications of Compromise (IOCs).
When: Several US hospitals have already been attacked.
What to do:
- Disseminate threat notifications to users and establish a cadence to update them as the threat evolves.
- Isolate critical systems where possible.
- Review Incident Response (IR) plans and confirm their accuracy.
- Verify systems are patched and up to date.
- Adjust instrumentation to detect known ransomware IOCs.
- Use MFA wherever possible and consider enforcing MFA in instances where it is optional.
- Enforce cybersecurity hygiene including auditing user accounts with admin privileges and closing unnecessary ports.
- Backup all critical data and verify restoration capabilities.
- Verify endpoint protection measures are up to date and functioning properly.
Technical details of the attack:
- Typically, RYUK has been deployed as a payload from Trojans such as Trickbot.
- RYUK actors use common tools to dump cleartext passwords as well as password hashes that can be brute forced offline.
- Payloads may establish persistence based on DLL injection or other common techniques and maintain it by creating scheduled tasks and services.
- RYUK actors will conduct network reconnaissance using Windows Net commands, nslookup, and ping to locate mapped network shares, domain controllers, and Active Directory resources.
- RYUK actors also use PowerShell, Windows Management Instrumentation (WMI), Windows Remote Management, and Remote Desktop Protocol (MS-RDP) for lateral movement through the network.
- RYUK uses AES-256 to encrypt files and an RSA public key to encrypt the AES key.
- Actors will attempt to disable or remove security applications on victim systems that might prevent the ransomware from executing.
Brian Tant is a veteran cybersecurity professional who serves as chief technology officer for Raxis, an Atlanta-based penetration testing company whose customers include some of the largest corporations in the US.