On October 29, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) published a joint alert with the Federal Bureau of Investigations (FBI) and the Department of Health and Human Services (HHS). In it, the organizations claimed to “have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.” CISA, the FBI and HHS attributed the threat to the digital criminal enterprise behind TrickBot, malware which is capable of targeting victims with ransomware.
Over the past few years, TrickBot has evolved beyond its humble beginnings as a modular banking trojan inspired by Dyreza, another data-stealing threat.
Cybereason Nocturnus first observed this transition to something more insidious in April 2019 when it spotted an attack campaign that used Emotet as a dropper for TrickBot.
Upon successful installation, TrickBot stole sensitive data from the victim before it moved laterally throughout the network and deployed Ryuk ransomware on discovered hosts.
It was later in the year when Cybereason Nocturnus uncovered a series of targeted attacks against U.S. and European financial, manufacturing and retail businesses.
These attacks started with a TrickBot infection. Unlike previous campaigns, however, they focused on stealing sensitive information from Point-Of-Sale (POS) systems using Anchor, a backdoor which appears to be closely connected to TrickBot.
Several months later, Cybereason Nocturnus explored the connections between TrickBot and another threat called “Bazar loader.” This threat was capable of deploying additional malware and stealing information from targeted organizations at the time of discovery.
To counter this emerging threat, Microsoft announced in mid-October that it had used a court order and had cooperated with telecommunications providers around the world to try to disrupt TrickBot’s infrastructure. The tech giant clarified that these efforts had sought to eliminate 94% of TrickBot’s infrastructure including its known Command-and-Control (C&C) servers.
That takedown effort didn’t prevent the TrickBot gang from working with a competing digital crime syndicate to drop TrickBot payloads in an attempt to remain active, as observed by Microsoft later on in October 2020.
It was around that same time when NETSCOUT spotted TrickBot attackers bringing portions of their code over to Linux, thereby expanding their pool of possible victims.
The joint alert arrived a day after CISA, the FBI and HHS held a conference call to warn healthcare executives about the threat of Ryuk ransomware infections.
One participant on the call told KrebsonSecurity that the government agencies had not shared Indicators of Compromise (IoCs), instead urging participants to patch their systems and to report any instances of suspicious activity.
But as noted by KrebsonSecurity, IoCs associated with Ryuk tend to vary across different victims as attackers use different Windows executables for dropping malicious files onto infected hosts. They also change between different C&Cs for communicating with their payloads.
Such dynamism makes it more difficult for entire industries to defend against Ryuk using IoCs as they would with other digital threats.
Around the time of the conference call, reports began to emerge of several hospitals having suffered digital attacks.
On October 27, for instance, the St. Lawrence Health System said that malicious actors had targeted computers at its Canton-Potsdam, Massena and Gouverneur hospitals with a new variant of Ryuk. The attack hadn’t compromised patient or employee information, reported WWNY.
It was that same day when Sky Lakes Medical Center disclosed it had suffered a ransomware attack. That infection brought down the healthcare organization’s computer systems, making communication “difficult” as the hospital moved ahead with its scheduled procedures.
The University of Vermont Health Network experienced a network disruption the following day. According to NBC5, a digital attack caused network issues at six hospitals throughout Vermont and northern New York.
Sam Curry, chief security officer at Cybereason, feels that this latest ransomware threat constitutes an important moment for healthcare organizations in the United States.
“The FBI and DHS’s hastily scheduled news conference warning U.S. hospitals of imminent ransomware attacks is more than just a wake-up call for the industry. It is a call to action that must be taken seriously,” said Curry.
“When you compare the number of hospitals and health systems facing possible threats, the risk is many times greater than 2017’s global WannaCry ransomware attack that hit the healthcare system in the UK. For hospitals, no more excuses. It's time to practice cyber hygiene alongside medical hygiene.”
Curry went on to put the potential damages in terms of “life and death,” stating, “If healthcare computer networks are taken offline, patient care will be stalled and lives could literally be at stake.” He therefore feels that organizations need to focus on building resilience.
“Taking this issue seriously means making the tough choice between losing some functionality pro-actively by disconnecting some systems as opposed to running a chance of losing all functionality if targeted,” Curry concluded.
CISA, the FBI and HHS recommend that healthcare organizations take this threat seriously by following security best practices such as patching their systems, reviewing their configurations and regularly change the passwords used for network systems and accounts. Organizations can learn more about how to defend themselves against a Ryuk ransomware attack by following Cybereason’s guidelines here.