People are not the only ones who are facing this viral threat. Cyber-attacks are increasing from opportunistic hackers. Ryuk ransomware, a troublesome and metamorphic malware, has risen to prominence in the U.S. healthcare system, according to the Joint Cybersecurity Advisory (Coauthored by FBI and CISA and HHS).
Here are the facts.
How is RyukRansomware infiltrating US Hospitals and Healthcare Systems
It takes just one click to compromise your computer system. According to the Joint Cybersecurity Advisory, the threat actors have been deployingTrickbotandBazarLoadervia malicious phishing campaigns. They contain links to sites hosting the malware or attachments infected by Ryuk. Since mid-February 2020, Ryuk’s newer versions are no longer dependent upon Trickbot,Emotet orBazarLoaderas Trojandroppers. Instead, they use encrypted PowerShell to deliver the malware. The new version also uses known penetration tools (SharpHoundand Armitage component) and has truly metamorphic capabilities. This is because child iterations that are spawned during pivot operations can’t be completely unique.
In short,it’ssocial engineering via email campaigns. Ryuk sends an attachment containing a malicious script to his email address and the entire office is shut down.
Basicsecurityawareness best practices can come into play here.That is why I stress enrolling your team in some Security Awareness Training. Hackers and threat actors are masters at social engineering and manipulation. They use tactics that evoke fear, panic or draw on sympathy. They only need one person to take down your entire healthcare system. This may surprise you, but it happens all the time!
Why is Ryuk Ransomware so bad?
Ryuk can change and shift at alarming rates, making it a malicious metamorphic malware. This is because it is hard to predict and prevent.
Let me offer you an analogy.
Your name is Phineas, just for the sake of this example. Imagine that I have contracted Ryuk. I have my own version of the RYUK virus, or the “Jason Virus.” I sneeze all over you and make you sick. Instead of contracting the “Jason Virus”, you now have “Phineas Virus”, your own unique Ryukthat antivirus software has not seen before… Do you understand why antivirus has been ineffective?
Antivirus works because it blacklists certain threatening signatures. Ryuk does not have a signature and attacks no two times in the same manner.
The Joint Cybersecurity Advisory explains how once malware has infected your system, threat actors useanchor_dnsto send or receive data from the victimized machines. This practice is known as Domain Name System Tunnelling (DNS). This allows cyber criminals to avoid detection, evade network defense protocols, and helps them to avoid detection. Your infected computers believe it’s another legitimate piece of DNS traffic.
Cybercriminals can then funnel data to them, use self-deletion methods, and control your data, making your organization dependent on their demands.
How can I prevent Ryuk from Ransoming My Data
Standard antiviruses are ineffective against this threat, as explained above. Prevention depends on the end user or your administrative staff, clinicians, and so forth. An alternative is to invest in an EDR, or an advanced anti-malware program. We are a Cisco Gold Partner so we can tell you more about Cisco AMP (Advanced Malware Protection). We can also help you find and deploy any Endpoint Detection Response for your industry.
Security Awareness Training (Prescriptive/Proactive)
Your team and you are the first line defense against cyber threats. Hackers are constantly innovating new ways to penetrate your defenses. Your team must first understand what an attack looks like, how to report it, and how to remove threats.
Endpoint Detection Response (EDR) Advanced Anti Malware (Prescriptive/Proactive)
While thisisn’tafull-proofprevention method, it can help. This advanced anti-malware solution measures morethan signatures (remember Ryukdoesn’t leave one), but it also measures behavioral characteristics to help pinpoint abnormal activity. Although it won’t wave a red flag to tell youit’sRyuk; it may alert you to an issue that has already caused too much damage.
Regular Secure and Verified Backups (Prescriptive).
Keep involved and make sure you have backups that are secure and verified. This will also help you recover from a disaster if something goes wrong.
What happens if Ryuk Ransomware infects my Healthcare System What are the next steps in this situation?
Disaster Recovery
Do not lose heart if this happens to your data! Ryuk may hold your data hostage and require a system reboot. Your best option for salvaging your data is Disaster Recovery. Regular, verified, and secured backups are a good idea.
How do I report it?
The FBI has a fantastic report line. For your information,I’velinked the FBI reporting page below.
For your team, get security awareness training
Defense is the best defense against these security threats. Follow the link and submit your information. My security team will contact me shortly to discuss security awareness training opportunities with your business.
Source:
https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf
About Jason Smith
Jason Smith is the Security Consultant at Internetwork Engineering (IE). He has over 15 years of experience in IT Security & IT Security including finance, aerospace, defense, and retail. Connect with Jason via LinkedIn.
Get in touch with Jason Smith