Ryuk ransomware is being aggressively deployed to target US healthcare institutions, government cyber organisations in the US have warned.
"CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers," the cybersecurity, investigative, and healthcare agencies said in a joint statement published overnight.
They warned that the American healthcare sector is at particular risk of attack, saying in an advisory note:
The cybercriminal enterprise behind Trickbot malware has continued to develop new functionality and tools increasing the ease, speed, and profitability of victimization. What began as a banking trojan and descendant of Dyre malware now provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. These activities include credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and the deployment of ransomware, such as Ryuk.
The caution comes as US hospitals faced an unusually high level of malware and ransomware attacks in spite of promises from criminals earlier this year that they would avoid targeting medical institutions. Just four weeks ago, the IT network of Universal Health Services, which operates over 400 hospitals stateside, was hit by malware, but it would not specify the strain and declined to comment on whether it was Ryuk.
The uptick in ransomware generally has been noted by most major infosec companies but Ryuk in particular has surged this year. FireEye stated that three particular malware families it had codenamed Kegtap, Singlemalt, and Winekey had all been targeting medical institutions through loader and backdoor-exploiting campaigns.
Those campaigns started in some cases with emails distributed through Sendgrid, which directed recipients to a malicious Google document, with recent variations using a similar MO but over attacker-controlled email infrastructure. Clicking links in the documents downloads malware binaries that are then executed on the victim's machine, with the malware being hosted on diverse platforms including Google Drive, Slack, Trello, and others.
Pretty damning that they're attacking hospitals but I guess money talks
"A notable majority of cases where Mandiant has had visibility into these post-compromise TTPs [tactics, techniques and procedures] have been attributable to UNC1878, a financially motivated actor that monetizes network access via the deployment of RYUK ransomware," said the firm in its blog post summarising the threat and publishing details of TTPs and indicators of compromise.
Similarly, Sonicwall researchers "tracked aggressive growth during each month of Q3, including a massive spike in September" in Ryuk attacks targeting the US. While countries such as the UK, Germany, and India saw declines in Ryuk, "the US saw a staggering 145.2 million ransomware hits – a 139 per cent year-on-year increase," said the firm in a statement.
Terry Greer-King, Sonicwall's EMEA VP, told The Register: "The bad guys, just like anybody else, are trying to be more efficient in terms of bang for buck. You can make a lot of money out of ransomware… Pretty damning that they're attacking hospitals but I guess money talks."
SonicWall said that in Q3 2019 it detected 5,123 Ryuk attacks and compared that to Q3 this year, where its sensors picked up 67.3 million Ryuk attacks.
"What's interesting is that Ryuk is a relatively young ransomware family that was discovered in August 2018 and has made significant gains in popularity in 2020," said Dmitriy Ayrapetov, SonicWall veep for Platform Architecture. "The increase of remote and mobile workforces appears to have increased its prevalence, resulting not only in financial losses, but also impacting healthcare services with attacks on hospitals."
Ransomware attacks have also been targeted at hospitals elsewhere in the world, though the increase in attacks hasn't been reflected as strongly as in the US. ®