Advisory Warns of Targeted Ryuk Ransomware Attacks on the Healthcare and Public Health Sector

Share this article on:

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) have issued an advisory warning about increased Ryuk ransomware activity targeting the healthcare and public health sector.

Credible evidence has been obtained indicating an increased and imminent threat to hospitals and healthcare providers in the United States. The advisory details some of the tactics, techniques, and procedures (TTPs) used by the operators of Ryuk ransomware and other cybercriminal groups who are assisting with the distribution of the ransomware to help the healthcare sector manage risk and protect their networks from attacks.

The advisory explains that Ryuk ransomware is commonly delivered as a secondary payload by the TrickBot Trojan. TrickBot is a banking Trojan that was first identified in 2016 that has since been updated with a host of new functions. In addition to stealing banking credentials, TrickBot is capable of mail exfiltration, cryptomining, data exfiltration from point of sale systems, and acts as a downloader of other malware variants, notably Ryuk ransomware.

In 2019, the FBI identified a new module had been added, named Anchor, which sends and receives data from victim machines using DNS tunneling, allowing communications with its command and control infrastructure to go undetected by many security solutions. The advisory provides indicators of compromise (IoCs) to help network defenders identify TrickBot infections.

Once Ryuk ransomware has been deployed, common off-the-shelf products such as Cobalt Strike and PowerShell Empire are used to steal credentials. “Both frameworks are very robust and are highly effective dual-purpose tools, allowing actors to dump clear text passwords or hash values from memory with the use of Mimikatz,” explained CISA in the alert. “This allows the actors to inject malicious dynamic-link library into memory with read, write, and execute permissions. In order to maintain persistence in the victim environment, Ryuk actors have been known to use scheduled tasks and service creation.”

The Ryuk threat actors use living-off-the-land techniques using tools such as net view, net computers, and ping to find mapped network shares, domain controllers, and active directory. Native tools such as PowerShell, Windows Management Instrumentation (WMI), Windows Remote Management, and Remote Desktop Protocol (RDP), are often used to move laterally through the network, along with third-party tools such as Bloodhound.

The attackers will identify and shut down security applications to prevent detection of the ransomware and may even manually remove certain security applications that would otherwise stop the ransomware from executing. Attempts are also made to delete backup files and Volume Shadow Copies to prevent victims from recovering their files without paying the ransom.

You can view the advisory, IoCs, and suggested mitigations on this link.

Ryuk Operators Transition to Malware as a Service Tool for Distributing Ransomware

While not detailed in the recent advisory, evidence has been found to indicate the operators of Ryuk ransomware are transitioning away from TrickBot and are now using a malware-as-a-service tool to deliver their ransomware payload.

Security firm Sophos has reported the Buer loader is now being used to deliver Ryuk ransomware. The Buer loader first started to be advertised on hacking forums in August 2019 to other malware operators for use in delivering malware and ransomware payloads. According to the Sophos researchers, the operators of TrickBot have been using the Buer loader for several months.

The Buer Loader is primarily distributed using phishing emails, often using malicious Word documents. Sophos notes that the Buer loader uses PowerShell commands to change settings on Windows devices to evade detection, including modifying the Windows Defender exclusion list. A dropper is used to deposit Buer in the memory and execute the loader, which downloads Ryuk ransomware.

While the Buer loader is being used for the initial compromise to gain a foothold in networks, the tactics used by the Ryuk operators once access to the network is gained remains the same.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On