Yesterday, US-CERT issued a joint warning from the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) to the healthcare industry regarding an elevated risk of ransomware attacks. In the brief, they disclosed that they had credible information regarding the threat of potentially severe ransomware attacks being imminent for hospitals and other healthcare-related services.
This is a particularly bad time for hospitals and healthcare to be at risk, because of the critical nature of the services offered during these concerning times. As a services provider, it’s important to give these critical organizations extra attention and vigilance to keep them running smoothly.
Generally, when an advisory like this gets released, the issuers have information indicating a targeted campaign from either nation-states or other organized bad actors, and these advisories are intended to notify organizations to maintain a higher state of vigilance. The advisory goes on to lay out some of the threat details for this campaign, including some Indicators of Compromise (IoCs) to watch for. Additionally, they map the Techniques, Tactics, and Procedures (TTP) used by the bad actors to the MITRE ATT&CK framework. As with many recent campaigns, this one has been observed using Trickbot and then secondary Ryuk components for the encryption stage. Finally, they offer guidance on what to do if you are impacted by a ransomware event.
If you have attended one of my security boot camps, you are no doubt familiar with the Trickbot and Ryuk ransomware families and some of the kill chain components we review. Let’s talk about some of the techniques used in campaigns like these.
The first foothold is usually a well-crafted email tricking a user into clicking a document or providing credentials. This is where the first scripts run to install the Trickbot component.
At this stage of the infection, reconnaissance, harvesting of stored credentials, and lateral spread through the environment occurs. Trickbot uses legitimate applications to evade detection. This campaign has been observed using Anchor_DNS to hide communication to Command and Control (C2) servers to prevent being blocked by traditional firewalls and web protection. Instead, the information is hidden in DNS queries, which then appear as background DNS noise. This is a relatively new addition to the modules used by Trickbot—an indicator that, just like legitimate software companies, malware creators continue to improve the functionality of their toolset. The advisory does go on to list the domains used in these queries, as well as the IP addresses of the observed C2 servers used in the communications.
Once the bad actors decide to ransom the victim, they download Ryuk and execute on target systems. In this case, Ryuk has been observed using techniques such as enumerating files to encrypt, discovering which processes are running (likely to determine which malware defenses are in use), and then disabling the antimalware tools in use to evade detection. All of this is done to improve the likelihood of a successful encryption event and, by extension, the likelihood they will be paid.
So what are the best defenses against such modern, multi-stage threats? As we have discussed in our boot camps, you’ll need multiple layers since each attack may start with a slightly different entry point, or make it further down the chain to the data, which is the primary target.
First, as with most attacks, the email and malicious website protection will provide protection as far away from the user and data as possible.
It would also be a good idea to sign up for updates from the National Cyber Awareness System Mailing List, as they tend to release and update information around active campaigns on a regular basis. Simply go to us-cert.cisa.gov, scroll to the bottom, and enter your email address. You can then choose which type of alerts to receive.
If you are supporting customers in the healthcare space, now is the time to make sure all your security is updated and functioning, back up your systems and data, and continue monitoring for suspicious behavior.
Let’s stay safe out there!
Gill Langston is head security nerd for SolarWinds MSP. You can follow Gill on Twitter at @cybersec_nerd
Get the latest MSP tips, tricks, and ideas sent to your inbox each week.