US Hospitals Warned of Fresh Wave of Ransomware AttacksWarning From CISA nd FBI Follows Reports of Several Hospitals Hit With Malware
The FBI and the U.S. Cybersecurity and Infrastructure Security Agency are warning hospitals about a fresh wave of Ryuk ransomware attacks that have recently targeted healthcare facilities around the country.
The joint alert issued Wednesday, which includes input from the U.S. Department of Health and Human Services, follows several media reports that hospitals across the U.S. have been attacked by ransomware over the past week.
The motive behind this recent rash of ransomware attacks appears to be financial gain, according to the joint alert.
"CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers," according to the joint alert. "CISA, FBI and HHS are sharing this information to provide a warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats."
There is an imminent and increased cybercrime threat to U.S. hospitals and healthcare providers.— Cybersecurity and Infrastructure Security Agency (@CISAgov) October 29, 2020
We released an advisory with the @FBI & @HHSgov about this #ransomware threat that uses #Trickbot and #Ryuk malware. Here is how to mitigate your risk: https://t.co/joBOCx5Usk
This series of attacks prompted a call among the FBI, the Department of Homeland Security and the administrators of several large hospitals on Wednesday to discuss the security issues and response, according to Reuters.
After a dormant period starting in March, Ryuk activity has surged since the end of the third quarter, says Bill Siegel, the CEO of incident response firm Coveware. This not only includes attacks against hospitals and healthcare facilities, but also an incident involving French IT services company Sopra Steria earlier this month (see: French IT Services Firm Confirms Ryuk Ransomware Attack).
Ransomware attacks against hospitals have also prompted lawmakers to raise concerns about these facilities' cybersecurity practices, especially as healthcare entities face recent increases in COVID-19 cases, which could then impact the care of patients (see: Senator Demands Answers on Universal Health Services Outage).
The joint alert Wednesday notes that several recent attacks against hospitals and healthcare facilities have started with the deployment of the Trickbot malware within infected devices. Originally a banking Trojan, Trickbot has been revamped over the years to acts as a "dropper" that can deliver other malware such as ransomware, according to the alert.
The alert notes the FBI has found that the operators behind Trickbot started to use a new backdoor called Anchor in 2019 as a way to communicate with a command-and-control server. This malware allows malicious traffic to blend in with normal traffic by using DNS tunneling techniques.
"These attacks often involved data exfiltration from networks and point-of-sale devices," according to the alert. "As part of the new Anchor toolset, Trickbot developers created AnchorDNS, a tool for sending and receiving data from victim machines using Domain Name System (DNS) tunneling."
The Anchor backdoor can also be used to steal credentials as well as deliver malicious payloads such as the Ryuk ransomware, to compromised networks and devices, according to the joint alert.
Over the years, security researchers have observed threat actors using a combination of the Emotet botnet along with Trickbot to deliver Ryuk to multiple victims.
Earlier this month, Microsoft and several security partners and U.S. government agencies announced an operation that targeted Trickbot's infrastructure to disrupt the botnet's activities. And while Microsoft has claimed that it's disrupted more than 90% of the infrastructure, other security firms such as CrowdStrike believe its operators are quickly working to rebuild the botnet (see: Trickbot Rebounds After 'Takedown').
But this week, the security firm Sophos published an analysis that found the operators of Ryuk had started to use a new malware-as-a-service tool over the past two months to deliver the ransomware to potential victims (see: Ryuk Ransomware Delivered Using Malware-as-a-Service Tool)
Charles Carmakal, senior vice president and CTO security firm FireEye Mandiant, noted that the group behind these hospital attacks, which the company calls UNC1878, have been deliberately targeting healthcare facilities with ransomware to turn a profit.
"UNC1878, an Eastern European financially motivated threat actor, is deliberately targeting and disrupting U.S. hospitals, forcing them to divert patients to other healthcare providers," Carmakal says. "Patients may experience prolonged wait time to receive critical care. Multiple hospitals have already been significantly impacted by Ryuk ransomware and their networks have been taken offline."
Brett Callow, a threat analyst at security firm Emsisoft, notes that the firm has confirmed over 60 ransomware attacks against U.S. healthcare organizations and hospitals since the start of the year, which have caused disruptions at nearly 500 facilities.
It's not clear, however, if this latest round of attacks involving Trickbot and Ryuk represents an uptick in activity or that law enforcement and hospital officials are taking notice of this particular threat group's activities, Callow says.
"The Ryuk operators have a very long track record of attacking the public sector, including healthcare providers, causing multiple government agencies to issue alerts," Callows tells Information Security Media Group. "At this point, I do not have sufficient information to be able to say whether the current attacks are indicative of an unusual campaign, or whether it’s simply a case of business as usual."
As usual, the FBI and CISA are asking hospitals not to pay the ransom if they are targeted and to contact law enforcement officials.
"Payment does not guarantee files will be recovered," according to the alert. "It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities."
The alert notes that healthcare organizations should at least patch any operating systems, network equipment and applications that have known vulnerabilities, change administrative passwords frequently, disable Remote Desktop Protocol access if not needed, use multifactor authentication and create backups to help speed recovery.
Managing Editor Scott Ferguson contributed to this report.