Three US Federal authorities – the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) – jointly issued an advisory about the threat of ransomware attacks against the healthcare system in the US. This advisory detailed the tactics and techniques used by ransomware group Ryuk to infiltrate, encrypt, and extort the healthcare system.
All three agencies have received information about imminent threats to US hospitals and healthcare providers. They have also asked the members of the healthcare sector to exercise greater caution in their cybersecurity.
The advisory specifically stated that malicious cyberattackers are targeting the healthcare industry using Trickbots, which would lead to ransomware attacks and large amounts of data theft. Organizations which are catering to the needs of Covid-19 patients would have a tough time catering to their cybersecurity needs.
Trickbot and Ryuk
The advisory given by the federal agencies contains the modus operandi of the Trickbot malware, which is often an accomplice to a Ryuk ransomware attack. Trickbot was originally used as a trojan horse for banking scams but has now widened its scope by being a delivery agent of ransomware.
CISA discovered several backdoors within the Trickbot malware, which allowed hackers to send and receive data from victim machines. An example of such tools is the Anchor_DNS tool.
Once successfully inside the system, Trickbot lays itself in specific directories and disguises itself as a “.exe” file with a randomly generated name.
Trojan malware like Emotet and Trickbot usually carry a ransomware package with them, which begins encrypting a victim system upon delivery. Ryuk is one of the most dangerous ransomware groups active in the world today. It is a mutation of the Hermes 2.1 ransomware and has been proactive on the block since August 2018.
Ryuk infiltrates the system by stealing important credentials using PowerShell and CobaltStrike tools, which use brute force tactics to churn passwords and gain access to a system. The federal advisory details the method of Ryuk’s offensive, and mentions the MITRE ATT&CK techniques used.
The advisory comes only weeks after the brutal attack on the Universal Health Services (UHS) hospitals by Ryuk, which left nearly 400 healthcare locations in the US and UK useless.
According to AP, “Independent security experts say it has already hobbled at least five U.S. hospitals this week, and could potentially impact hundreds more.”
“We are experiencing the most significant cybersecurity threat we’ve ever seen in the United States,” Charles Carmakal, chief technical officer of the cybersecurity firm Mandiant, said in a statement.
Private security firms are expected to be on high alert after the issuance of this advisory.