Cybersecurity Threat Advisory: Ryuk Ransomware Activity Targeting the Healthcare and Public Health Sector

As part of our effort to inform our clients about potentially serious cybersecurity issues, MCP provides advisories about vulnerabilities and exploits that could threaten the operations of their critical communications networks. Sign up to receive these advisories in your inbox as soon as they are released.

This week, there is a new critical alert that requires the immediate attention of the healthcare and public health sectors.

Advisory Overview

MCP’s outsourced network operations partner is closely following the increase of ransomware activity targeting the healthcare sector. Threat actors are infecting critical healthcare providers’ communications network infrastructures with the Ryuk ransomware variant.

A successful attack could disable these infrastructures and expose sensitive data, including patient health records, to increased risk. MCP has observed that this ransomware traditionally is delivered through emails with malicious attachments (i.e., macro-enabled documents) and/or vulnerable external assets. As such, users should be extra cautious when viewing links, attachments, or emails from unknown or unexpected senders. Additionally, it is important to ensure that vulnerabilities are patched, and security updates are applied to help prevent attacks from known exploits.

Technical Detail and Additional Information

What is the threat?

Ryuk first emerged in 2018 and has been widely attributed to North Korean threat actors. Typically, Ryuk has been deployed in correspondence with banking trojans such as Trickbot. Many threat actors utilize off-the-shelf products such as Cobalt Strike, PowerShell Empire, Mimi Katz, and Bloodhound, which are all hacking tools used to complete the enumeration/escalation phase, which enables threat actors to move across a target’s environment and maintain persistence.

Once the ransomware is able to move laterally throughout the network, Ryuk encrypts files, deletes all backups/shadow copies, and places a RyukReadMe file. Victims then are demanded to pay a specific amount to a bitcoin wallet to obtain a decryptor.

Why is this noteworthy?

The number of ransomware and other cyberattacks has risen sharply this year, and healthcare facilities and public health organizations particularly have been targeted since the start of the COVID-19 global pandemic. Successful intrusion and deployment of ransomware against a healthcare provider can have a major impact on the facility’s information technology (IT) infrastructure and on the patients receiving care. Not only will sensitive information be stolen, buts also a large amount of funds may be lost if the ransom is paid. In addition, patients may experience prolonged wait times or be forced to switch healthcare providers if they are in a life-threatening condition, because ransomware generally renders critical systems inoperable. It is important then that advanced endpoint protection is in place, proper security awareness training is given to employees, multifactor authentication is enabled, and backups readily are available.

What is the exposure or risk?

There are two major risks associated with this ransomware activity targeting the healthcare and public health sectors. In most cases, ransomware is deployed for financial motives. However, as Ryuk is specifically targeting healthcare and public health organizations that carry sensitive patient information, a major risk exists concerning the contents of stolen information. Theft of patient data could have major legal repercussions and cause indefinable financial damage. Additionally, if sensitive/critical devices are compromised in the healthcare and public health sectors, the fight against the COVID-19 pandemic could be impacted. Phishing emails are the main technique that an attacker will use to gain a point of entry into an organization’s communications environment, usually by getting a user to click on a macro-enabled document that can infect a system if downloaded and executed.

What are the recommendations?

It is highly recommended that your organization maintains a healthy cybersecurity posture by following the best practices below:

• Employ the use of endpoint detection and response programs, to ensure that malware is quarantined pre-execution.
• Have a data backup and recovery plan in place for any mission-critical information, and have the most critical information stored outside the network. Regularly test these backups to ensure that they function correctly and to gauge their performance in the event of a real crisis.
• Ensure that your systems are updated with the latest security patches.
• Educate employees on the common vectors for phishing, which is the most common source of ransomware.
• Audit user permissions and practice the principle of “least privilege,” which ensures that every user is granted only the network that absolutely is necessary for his/her job function.
• Have a strong password policy in place, possibly implementing multifactor authentication if possible.

If you are looking for guidance, please reach out. MCP offers a comprehensive cybersecurity solutions suite that is designed specifically for public safety entities and other critical infrastructure organizations to help them determine their network, data, and application vulnerabilities. We can help you develop a complete cyberattack prevention strategy.

Mike Beagles has specialized experience with supporting mission critical communications agencies by providing technical expertise, strategic IT planning, and architecting both on-prem and shared systems for new and innovative technologies as well as legacy solutions. He currently manages the platform and suite of tools used to deliver MCP network and cybersecurity monitoring to our clientele.