By Brian Tant
On October 29, 2020 a confidential source said that an RYUK attack against US-based hospitals and clinics was an “Increased and Imminent Cybercrime Threat.” In the days that followed, we saw the attack unfold.
What we know: This appears to be an RYUK ransomware attack being delivered through phishing attacks. Raxis recommends heightened vigilance across all attack vectors and instrumentation.
Who: The attack targets US-based hospitals, clinics, and other healthcare facilities, all of which should be on heightened alert for Indications of Compromise (IOCs).
When: Several US hospitals have already been attacked.
What to do:
- Disseminate threat notifications to users and establish a cadence to update them as the threat evolves.
- Isolate critical systems where possible.
- Review Incident Response (IR) plans and confirm their accuracy.
- Verify systems are patched and up to date.
- Adjust instrumentation to detect known ransomware IOCs.
- Use MFA wherever possible and consider enforcing MFA in instances where it is optional.
- Enforce cybersecurity hygiene including auditing user accounts with admin privileges and closing unnecessary ports.
- Backup all critical data and verify restoration capabilities.
- Verify endpoint protection measures are up to date and functioning properly.
Technical details of the attack:
- Typically, RYUK has been deployed as a payload from Trojans such as Trickbot.
- RYUK actors use common tools to dump cleartext passwords as well as password hashes that can be brute forced offline.
- Payloads may establish persistence based on DLL injection or other common techniques and maintain it by creating scheduled tasks and services.
- RYUK actors will conduct network reconnaissance using Windows Net commands, nslookup, and ping to locate mapped network shares, domain controllers, and Active Directory resources.
- RYUK actors also use PowerShell, Windows Management Instrumentation (WMI), Windows Remote Management, and Remote Desktop Protocol (MS-RDP) for lateral movement through the network.
- RYUK uses AES-256 to encrypt files and an RSA public key to encrypt the AES key.
- Actors will attempt to disable or remove security applications on victim systems that might prevent the ransomware from executing.
For updates on this topic, please check out our blog article. Visit raxis.com for additional information about penetration testing, red team engagements, and remote vulnerability assessments.
Brian Tant is a veteran cybersecurity professional who serves as chief technology officer for Raxis, an Atlanta-based penetration testing company whose customers include some of the largest corporations in the US.