With COVID-19 cases surging and hospitalizations increasing, the operators of the Ryuk ransomware smell opportunity.
Security researchers say the Ryuk gang is unleashing an unprecedented wave of ransomware attacks against U.S. hospitals, hoping to make tens of millions in ransom payments.
The FBI and Cybersecurity and Infrastructure Security Agency (CISA) just issued a joint alert around this type of ransomware attack, calling it an "increased and imminent threat" for hospitals and healthcare providers.
Here's how serious this threat from Ryuk ransomware is for the healthcare industry:
"We are experiencing the most significant cyber security threat we've ever seen in the United States," Charles Carmakal, Chief Technical Officer of Mandiant, told the Associated Press.
Alex Holden, CEO of Hold Security, notified the U.S. government of a spike in Ryuk attacks being launched against hospitals, and tells the AP that Ryuk operators are threatening much more.
He said the group was demanding ransoms above $10 million per target and that Dark Web discussions mentioned plans to try to infect more than 400 hospitals, clinics, and other medical facilities.
"One of the comments from the bad guys is that they are expecting to cause panic and, no, they are not hitting election systems," Holden said. "They are hitting where it hurts even more and they know it."
If Ryuk ransomware knocks a hospital's network offline, would it pay a ransom? The stakes are higher when the medical health issues are more serious.
Just ask hospital CEO and president Steve Long. He paid the ransom demand after ransomware locked up his hospital's network.
Why? Hackers had hit Hancock Regional Hospital during a severe 2018 flu season. That was a major factor in the decision to pay.
"By 10:30 that night we had shut down every single computer that we had and all our servers," Long recalled about the Thursday night in January. "By midnight we successfully shut off every computer in the organization and started from scratch. It's surreal," he told CNBC.
The FBI and CISA alert in this case reveals more about how Ryuk ransomware attacks work.
Attacks are served up by the Trickbot delivery system, which is essentially a network of zombie computers (botnet). Microsoft recently shut off a large amount of Trickbot's infrastructure, but Ryuk operators apparently found a way around that, successfully impacting at least five U.S. hospitals in the last week.
Trickbot, by the way, started as a banking trojan. Now it deploys payloads across industry verticals.
According to the CISA alert, once a network is compromised, Ryuk operators use the following techniques to obtain additional network credentials, stay hidden, and launch the attack:
"While negotiating the victim network, Ryuk actors will commonly use commercial off-the-shelf products—such as Cobalt Strike and PowerShell Empire—in order to steal credentials. Both frameworks are very robust and are highly effective dual-purpose tools, allowing actors to dump clear text passwords or hash values from memory with the use of Mimikatz.
This allows the actors to inject malicious dynamic-link library into memory with read, write, and execute permissions. In order to maintain persistence in the victim environment, Ryuk actors have been known to use scheduled tasks and service creation.
Ryuk actors will quickly map the network in order to enumerate the environment to understand the scope of the infection. In order to limit suspicious activity and possible detection, the actors choose to live off the land and, if possible, use native tools—such as net view, net computers, and ping—to locate mapped network shares, domain controllers, and active directory.
In order to move laterally throughout the network, the group relies on native tools, such as PowerShell, Windows Management Instrumentation (WMI), Windows Remote Management , and Remote Desktop Protocol (RDP). The group also uses third-party tools, such as Bloodhound.
Once dropped, Ryuk uses AES-256 to encrypt files and an RSA public key to encrypt the AES key."
And what about your security tools? Ryuk operators spend time trying to negate those as well:
"...the attackers will attempt to shut down or uninstall security applications on the victim systems that might prevent the ransomware from executing. Normally this is done via a script, but if that fails, the attackers are capable of manually removing the applications that could stop the attack."
The joint alert around Ryuk ransomware attacks against U.S. hospitals comes with the following best practices for mitigating the threat, regardless of your industry vertical.
It's clear that Ryuk ransomware criminals are trying to take advantage of an urgent situation where hospitals might have to weigh the value of human life during a pandemic against a ransom demand.
And as you probably know, this is far from the only coronavirus related cyberattack we have seen. These attacks are evolving along with the pandemic. Listen to Myla Pilao of Trend Micro, where her Threat Research team tracks more than five billion threats, daily.