CISA, the FBI, and HSS have recently published alert AA20-302A. The advisory outlines the threat of malicious cyber actors targeting the healthcare sector with TrickBot, BazarLoader and Conti malware. These attacks often drop the Ryuk ransomware with the intent of stealing patient data and deriving financial gain from hospitals in the United States.
Attacks of this nature typically start with a phishing email that includes a link to a malicious file (usually a PDF) or a breach of an unpatched, internet-facing remote access system (e.g., VPN, RDP, or Citrix server). Both techniques lead to a breach of a connected computer, allowing the attacker to run the malicious code on the host device. It’s through this unauthorized access that the attackers install the TrickBot/BazarLoader on the victim’s computer to achieve persistency. From this point on, the victim computer is controlled by the criminals.
The attack continues by dropping the Ryuk ransomware. Once dropped, Ryuk uses AES-256 to encrypt files and an RSA public key to encrypt the AES key. The attacker’s goal is to propagate the ransomware to other file systems and computers and also to gain domain administrator privileges (e.g. via exploitation of the Netlogon vulnerability) while using SMB, WMI, PowerShell and RDP for lateral movement in the network.
The RyukReadMe file placed on the system after encryption provides either one or two email addresses through which the victim can contact the attackers and ask for a designated ransom amount for decryption.
Three Defenses - Begin Now
With an immediate threat looming over hospitals, security teams need a short-term game plan with the most cost-effective actions they can take today, including actions to:
- Reduce the likelihood of Ryuk penetrating the organization’s network
- Provide early detection of an attack in progress
- Reduce the impact should malware penetrate the organization’s network
So what are the three actions your teams can take now to defend against this critical risk?
- Minimize the likelihood of Ryuk penetrating your network
It is essential to validate that all internet facing user endpoints and servers run some form of endpoint protection (anti-virus or and EDR agent) as a first line of defense.
With CyberMDX’s Healthcare Security Suite, you can detect gaps in your endpoint security coverage - such as endpoints that should run an anti-virus or a security agent but actually don't - and quickly remediate that.
Furthermore, CyberMDX can pin-point user endpoints and servers that should be highly prioritized for fixing their endpoint protection, based on their exposure to the internet, the nature of their interactions, and how these can be exploited by ransomware players and their connectivity to sensitive systems. For example, you can get a list of your managed systems that are connected to the internet and communicate with unmanaged systems (such as medical devices) via SMB, RDP and RPC.
It is important to consider refreshing any cyber security training for employees in your organization to increase awareness about suspicious links and attachments in corporate email accounts, but also when using personal email on internal networks.
- Early detection of an attack
Early detection of Ryuk might help to identify the compromised devices before the attack manages to spread the malware across the network.
The CISA/FBI/DHS alerts include a list of indicators of compromise (IoCs), in a stix format. The CyberMDX Healthcare Security Suite is updated with these IoCs and will send alerts when a device tries to communicate with the malicious domains or IP addresses. CyberMDX can also detect anomalous behavior and deviations from a baseline often created by a malware trying to spread within the network.
It’s extremely important to pre-plan how you are going to contain compromised endpoints in a timely manner. This is critical when leveraging early detection to limit the spread of the malware and the potential impact.
- Reduce the impact of an attack before it happens
In the event Ryuk has penetrated your network, there are actions you can take to mitigate the attack impact by limiting lateral movement of the ransomware, protecting the most vulnerable critical devices, and making sure real backups are in place.
Ryuk players are known to use the Netlogon critical vulnerability (CVE-2020-1472) to steal privileges as part of the attack chain, as illustrated in multiple attacks that have occurred recently. Making sure this vulnerability is patched on all your domain controllers will minimize the damage potential.
The CISA advisory pays special attention to legacy devices that "should be identified and inventoried with highest priority and given special consideration during a ransomware event". CyberMDX identifies all devices on your network including medical devices, IoT, and other unmanaged devices. These devices are not only the most critical ones but, in many cases, happen to be highly vulnerable and lack any endpoint protection. Whether it is a CT scanner or an MRI machine, CyberMDX can pin-point the most vulnerable medical devices and prioritize the remediation or mitigation of these vulnerable devices by applying white-list policies to intelligently isolate them from potential threats.
The advisory also emphasizes blocking unused RDP ports and SMB traffic to limit the attack from effectively spreading. RDP vulnerabilities were a major exploitation technique for recent ransomware attacks - including BlueKeep and DejaBlue, which are wormable vulnerabilities. By applying a policy, CyberMDX can detect open RDP and SMB ports on devices which are not in use and enable blocking these ports via a NAC policy (ACL) or internal segmentation firewall policies.
Be vigilant. Be prepared.
Working against the clock to remediate, mitigate and prepare for a ransomware attack such as Ryuk can be very challenging and intensive. Applying the cost-effective actions and the ability to track your progress while keeping an eye open on early signs of an attack is essential.