The U.S Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) have issued a warning to healthcare providers and public health agencies of an imminent threat of attacks using Ryuk ransomware.
An advisory was issued on October 28, 2020 after credible evidence was uncovered indicating the operators of Ryuk ransomware were embarking on a campaign targeting hospitals and other healthcare organizations in the United States.
So far this week, several hospitals have been attacked and have had their systems taken offline due to ransomware attacks, with 6 Ryuk ransomware attacks on hospitals occurring in a single day this week. This week’s victims include Wyckoff Heights Medical Center in Brooklyn, NY, the University of Vermont Health Network, Sky Lakes Medical Center in Oregon, and St. Lawrence Health System in New York.
The advisory provides indicators of compromise and suggested mitigations to help healthcare organizations defend their networks against attacks and identify potential attacks in progress.
Ransomware attacks on healthcare organizations have been increasing in recent weeks. Data from Check Point shows a 71% increase in ransomware attacks on the healthcare industry in the United States in October, making it the most targeted industry this month. The healthcare industry was also the most targeted sector in Q3, 2020, when there was a 50% increase in daily ransomware attacks from the previous quarter.
While there are many ransomware variants being used in attacks on the healthcare sector, Ryuk has by far the biggest share, with 75% of healthcare ransomware attacks involving Ryuk ransomware. Ryuk ransomware is deployed in targeted attacks on healthcare organizations, rather than mass spam email campaigns that aim to infect as many organizations as possible.
Hospitals and other healthcare providers are currently battling COVID-19, with the latest figures showing record numbers of cases in the United States in the past week. With hospitals having to treat increasing numbers of patients, they simply cannot afford the downtime and often end up paying the ransom in order to get their systems back online quickly. It would appear that the Ryuk operators are taking advantage of this, with attacks having steadily increased in recent weeks.
Ryuk ransomware is believed to have been created by an Eastern European hacking group known as UNC1878 or Wizard Spider. According to Mandiant’s senior vice president and CTO, Charles Carmakal, the hackers intend to conduct attacks on hundreds of hospitals. Carmakal said the hacking group is “one of the most brazen, heartless and disruptive threat actors I’ve observed.”
It has been suggested that while the attacks are conducted for financial gain, the increase in attacks may have been triggered by the disruption to the TrickBot botnet, which was extensively used to distribute Ryuk ransomware.
In addition to using TrickBot to deliver the ransomware, researchers at Sophos report that an alternative malware loader has started to be used by the Ryuk operators – Buer Loader. The Buer loader, like Emotet, is primarily delivered using phishing emails.