by Toby Hart
Over the past few days, one story in the US has threatened to overshadow even the race for the White House. A set of apparently coordinated ransomware attacks reportedly hit hundreds of hospitals, medical facilities and clinics. Although no warnings have thus far been issued by the National Cyber Security Centre (NCSC) or NHS Digital, UK hospitals should be alert to the malicious campaign potentially spreading their way, and of other attackers targeting medical facilities already stretched to the limit with the fight against COVID-19.
The good news is that by detecting the early warning signs including the presence of TrickBot and/or Emotet Trojans, healthcare organisations (HCOs) can mitigate the threat before it has a chance to make a major impact.
The story so far
Reports suggest a Russian cybercrime group known as Wizard Spider is behind the attacks, using the Ryuk ransomware to halt operations in countless US hospitals. A joint alert, issued last week by the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS), revealed the MO of attacks. Ryuk typically uses TrickBot or Emotet Trojans, usually sent via phishing emails, to gain a foothold into networks.
Once they’ve performed reconnaissance on the target network, attackers will deploy off-the-shelf tools such as Cobalt Strike and PowerShell Empire to steal credentials and maintain persistence. They’ll try to “live off the land” with the use of legitimate PowerShell, Windows Management Instrumentation (WMI), Windows Remote Management, and Remote Desktop Protocol (RDP) tools to move laterally while staying hidden.
At least 20 US hospitals are known to have been affected thus far, impacting cancer treatments and forcing incoming patients to be diverted to other facilities. The worst-case scenario is that such attacks will impact operations to the point that critically ill COVID and other patients cannot be cared for properly. This is exactly what the cyber-criminals want as it will maximise the chances that HCO victims pay up.
What to do
An NCSC advisory from last year offers some light at the end of the tunnel. Often the threat actors behind Ryuk have access to compromised networks for days or months before the ransomware is deployed. This gives them time to perform vital reconnaissance work to optimise their attacks. But as the NCSC states: “this may also offer the potential to mitigate against a ransomware attack before it occurs, if the initial infection is detected and remedied.”
That makes it more important than ever to have the tools in place to spot and take action on Emotet and TrickBot Trojan infections that often presage a ransomware attack. Trend Micro has already detected and blocked TrickBot for several NHS customers this year, for example.
Here are a list of further steps we recommend:
- Ensure all domain controllers are patched for Zerologon. Threat actors are taking advantage of this vulnerability to gain domain level access
- Recent Ryuk updates show that it attempts to encrypt files using Windows administrative shares. Users should therefore consider either completely disabling these or blocking access via their firewall solutions
- Disable Powershell with Group Policy as this tool is often used in malware attacks on your network
- Regularly backup all data, and air gap and password protect backup copies offline
For Trend Micro customers:
- Ensure endpoint and server protection products (e.g. Apex One, Cloud One – Workload Security, OfficeScan, Deep Security, Worry-Free Business Security) have critical features such as Ransomware Protection, Predictive Machine Learning and Behavior Monitoring enabled and optimally configured.
- Enable Agent Self-Protection in Cloud One – Workload Security and Deep Security
The ransomware threat is about much more than Ryuk and this particular campaign, of course. NHS and other UK HCOs should be aware that they represent a prime target for attack by other APT groups as they enter the busy winter season.