The Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS) and the Federal Bureau of Investigation (FBI) have given an advisory regarding elevated Ryuk ransomware activity directed at the public health and healthcare industry.
Legitimate evidence showed an increased and impending threat to hospitals and healthcare companies in the USA. The advisory tells about a few of the tactics, techniques, and procedures (TTPs) utilized by the attackers using Ryuk ransomware as well as other cybercriminal gangs who are helping with the syndication of the ransomware so that the healthcare industry could deal with the risk and secure their systems from attacks.
The advisory points out that the TrickBot Trojan frequently sends the Ryuk ransomware as a secondary payload. The TrickBot banking Trojan was initially discovered in 2016 and since then had been modified to have many new capabilities. TrickBot can steal banking credentials and do other things like mail exfiltration, exfiltrate data from point of sale systems, cryptomining, and download other variants of malware, particularly Ryuk ransomware.
The FBI discovered in 2019 the addition of a new module called Anchor, which transmits and receives information from victim devices by using DNS tunneling, enabling communications with its order and control infrastructure to remain undetected by a lot of security tools. The advisory gives indicators of compromise (IoCs) to assist network defenders to recognize TrickBot infections.
Upon deployment of the Ryuk ransomware, typical off-the-shelf products like PowerShell Empire and Cobalt Strike are employed to steal login information. The two frameworks are quite sturdy and are very effective double-purpose tools, permitting actors to dispose of hash values or clear text passwords from memory using Mimikatz. This permits the actors to input into the memory malicious dynamic-link library by means of the read, write, and execute permissions. To be able to retain persistence in the environment of the victim, Ryuk attackers use timetabled tasks and service creation.
The Ryuk attackers utilize living-off-the-land strategies with tools like net computers, net view, and ping to locate mapped network shares, active directory and domain controllers. Native tools for example PowerShell, Windows Remote Management, Windows Management Instrumentation (WMI), and Remote Desktop Protocol (RDP), are usually employed to move side to side via the network, together with third-party solutions like Bloodhound.
The attackers will find the security apps and shut them down to avert discovery of the ransomware and might even manually take away selected security programs that could keep the ransomware from executing. They will also try to get rid of backup files and Volume Shadow Copies so that the victims could not recover their files when they don’t pay the ransom.
To view the advisory, IoCs, and recommended mitigations, go to this link.