U.S. Agencies Issue Warnings as Ransomware Hits Healthcare Institutions

Cybercriminals are using Ryuk ransomware to infect hospitals and healthcare institutions across the United States for financial gain, according to an advisory released Wednesday evening by U.S. federal authorities.

The advisory said there was “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers,” and urged healthcare providers to take immediate—and reasonable—precautions to secure their networks. The advisory did not disclose how many healthcare institutions have already been impacted, but the AP reported that at least five hospitals were hit this week and potentially hundreds more could be impacted.

“Healthcare and Public Health sector partners—shields up!” tweeted Cybersecurity and Infrastructure Security Agency (CISA) Director Chris Krebs. “Assume Ryuk is inside the house. Executives—be ready to activate business continuity and disaster recovery plans. IT sec teams—patch, MFA, check logs, make sure you have a good backup point.”

🚨🚨🚨 Healthcare and Public Health sector partners - shields up! Assume Ryuk is inside the house. Executives - be ready to activate business continuity and disaster recovery plans. IT sec teams - patch, MFA, check logs, make sure you have a good backup point. https://t.co/j3cb26khHZ

— Chris Krebs #Protect2020 (@CISAKrebs) October 29, 2020

In an interview with Reuters, a doctor at a hospital that was impacted said the institution was using paper and unable to transfer patients because the nearest healthcare provider was an hour away. “We can still watch vitals and getting imaging done, but all results are being communicated via paper only,” the doctor said.

Ryuk ransomware is being used by a cybercriminal group dubbed UNC1878; the group is responsible for one-fifth of known Ryuk intrusions, which Cybersecurity Dive found increased from 5,123 in the third quarter of 2019 to 67.3 million in the third quarter of 2020.

“Ryuk actors will quickly map the network in order to enumerate the environment to understand the scope of the infection,” the advisory said. “In order to limit suspicious activity and possible detection, the actors choose to live off the land and, if possible, use native tools—such as net view, net computers, and ping—to locate mapped network shares, domain controllers, and active directory….Once dropped, Ryuk uses AES-256 to encrypt files and an RSA public key to encrypt the AES key. The Ryuk dropper drops a .bat file that attempts to delete all backup files and Volume Shadow Copies (automatic backup snapshots made by Windows), preventing the victim from recovering encrypted files without the decryption program.

“In addition, the attackers will attempt to shut down or uninstall security applications on the victim systems that might prevent the ransomware from executing. Normally this is done via a script, but if that fails, the attackers are capable of manually removing the applications that could stop the attack.”

The FBI, the U.S. Department of Health and Human Services, and CISA released the advisory, highlighting that addressing these issues will be particularly challenging for institutions on the frontlines of the COVID-19 pandemic.

The agencies recommended that healthcare and public health sector organizations review or establish their existing patching plans, security policies, user agreements, and business continuity plans to address the threat.

“System administrators who have indicators of a Trickbot network compromise should immediately take steps to back up and secure sensitive or proprietary data,” the advisory said. “Trickbot infections may be indicators of an imminent ransomware attack; system administrators should take steps to secure network devices accordingly.”

Unisys CISO Mat Newfield has been briefing companies on the risks posed by Ryuk ransomware, along with providing best practice guidance on how to address the threat.

"The two most critical things to do in order to prevent a ransomware breach are to ensure systems are always up-to-date with patches and you continue to focus on user education with regards to phishing and its variants, such as SMSishing and vishing," he said, adding that organizations should also look to adopt micro-segmentation of their networks to minimize the impact of a ransomware attack.

"Many healthcare organizations suffer from the continued use of legacy and end-of-life systems that are highly susceptible to compromise," he explained. "Rapid response and active monitoring are a must for healthcare, and any other organization."

Hospitals and healthcare institutions are a prime target for ransomware attacks because of the volume of data they require to operate, the ease of access needed for that data, and often a lack of investment in security infrastructure. In 2016, a string of U.S. hospitals were hit with ransomware and Security Management spoke to James Carder, CISO of LogRhythm and former director of security information for the Mayo Clinic, about the attacks.

He explained that the emphasis is usually placed on making patient data available and on remaining compliant with the U.S. Health Insurance Portability and Accountability Act (HIPAA). “The focus is on patient care and having access and availability of records, more so than securing the records,” Carder added.