Skip to main content
SolarWinds MSP
  • Login
  • Support
  • Partnerships
    • Partnerships Overview
    • Solution Provider Program
    • Technology Alliance Program
    • Distributor Program
SolarWinds MSP
  • Products
    • Monitoring & Management
    • N-central Automate. Tackle complex networks. Get remote monitoring and management built for efficiency and scale.
    • RMM Start fast. Grow at your own pace. Try this powerful but easy remote monitoring and management solution.
    • Backup
    • Backup Get data protection for servers, workstations, applications, documents, and Microsoft 365 from one dashboard.
    • Security
    • EDR Defend against ransomware, zero-day attacks, and evolving threats with endpoint detection and response.
    • Mail Assure Leverage mail protection and archiving to keep your users safe from email threats and downtime.
    • Passportal Adopt and enforce best practices for password and documentation management with ease.
    • Tools & Services
    • MSP Manager Increase helpdesk efficiency with a robust PSA, ticketing, reporting, and billing management solution.
    • Take Control Help support customers and their devices with remote support tools designed to be fast and powerful.
    • View All
  • Solutions

    Solutions

    • Security Protect your customers and expand your business by offering layered security services without the complexity.
    • Monitoring Choose the right remote monitoring and management solution to meet you where you are and grow with you.
    • Operational Efficiency Boost profits by improving efficiency via automation, resources and training, and time-saving products.
    • IT Departments Keep your organization productive by easily managing IT from a single, easy-to-use, web-based dashboard.
    • Remote Monitoring Solutions Comparison Compare SolarWinds RMM and N-central side by side. Sign up to talk to a specialist to find the right fit.
    • View All
  • Resources
    • Download
    • Resource Library
    • Product Information
    • Free Tools
    • Learn
    • MSP Institute Webinar Series
    • Daily Live Demos
    • MSP Advice Project
    • Ask the N-central Experts
    • Upcoming Webcasts
    • Connect
    • Blog
    • Security Resource Center
    • Events
    • RMM Foundations Training
  • About
    • Company
    • About Us
    • Leadership
    • Careers
    • News & Press
    • Awards & Recognition
    • Support & Policies
    • Customer Success
    • Customer Support
    • Legal
    • Security
    • Get in Touch
    • Contact
    • Get a Quote
    • Worldwide Sales & Support
  • IT Departments
  • Contact Sales
    • Contact Sales
    • General Inquiry
    • Get a Quote
    • Worldwide Sales & Support
    • Talk to Specialist
    • Security Solutions
    • Monitoring Solutions
    • Operational Efficiency
  • Try Now
    • Monitoring & Management
    • N-central
    • RMM
    • Backup
    • Security
    • EDR
    • Mail Assure
    • Passportal
    • Tools & Services
    • MSP Manager
    • Take Control
  • Request a Quote
  • Try Now
    • SolarWinds RMM
    • SolarWinds N-central
    • SolarWinds Backup
    • MSP Manager
    • SolarWinds Mail Assure
    • SolarWinds Passportal
    • SolarWinds Risk Intelligence
    • SolarWinds Take Control
Request quote
Filter Blogs
  • Filter by:
  • MSP Business
    • Automation
    • Backup & Disaster Recovery
    • Security-series
    • Best Practices
    • Business
    • Business Growth
    • Business Risk
    • Cloud Computing
    • Customer Service
    • Cybersecurity
    • Cybersecurity Awareness Month
    • Data
    • GDPR
    • Internet of Things
    • IT Support
    • ITSM
    • LOGICcards
    • Machine Learning
    • Mail
    • Managed Services
    • Marketing
    • Mobile
    • Networking
    • Operations
    • Podcast
    • Product
    • PSA
    • Remote Management
    • Research & Trends
    • Risk Intelligence
    • Security
    • Security Vlog
    • Service Desk
    • Services & Support
    • The Head Nerds
    • Tips & Advice
    • Training
Home Blog MSP Business Security US-CERT Releases Warning to Healthcare Organizations about Elevated Ransomware Risks
Security

US-CERT Releases Warning to Healthcare Organizations about Elevated Ransomware Risks

By Gill Langston
4 November, 2020

Yesterday, US-CERT issued a joint warning from the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) to the healthcare industry regarding an elevated risk of ransomware attacks. In the brief, they disclosed that they had credible information regarding the threat of potentially severe ransomware attacks being imminent for hospitals and other healthcare-related services.

This is a particularly bad time for hospitals and healthcare to be at risk, because of the critical nature of the services offered during these concerning times. As a services provider, it’s important to give these critical organizations extra attention and vigilance to keep them running smoothly.

What you need to know

Generally, when an advisory like this gets released, the issuers have information indicating a targeted campaign from either nation-states or other organized bad actors, and these advisories are intended to notify organizations to maintain a higher state of vigilance. The advisory goes on to lay out some of the threat details for this campaign, including some Indicators of Compromise (IoCs) to watch for. Additionally, they map the Techniques, Tactics, and Procedures (TTP) used by the bad actors to the MITRE ATT&CK framework. As with many recent campaigns, this one has been observed using Trickbot and then secondary Ryuk components for the encryption stage. Finally, they offer guidance on what to do if you are impacted by a ransomware event.

What is the risk?

If you have attended one of my security boot camps, you are no doubt familiar with the Trickbot and Ryuk ransomware families and some of the kill chain components we review. Let’s talk about some of the techniques used in campaigns like these.

The first foothold is usually a well-crafted email tricking a user into clicking a document or providing credentials. This is where the first scripts run to install the Trickbot component.

At this stage of the infection, reconnaissance, harvesting of stored credentials, and lateral spread through the environment occurs. Trickbot uses legitimate applications to evade detection. This campaign has been observed using Anchor_DNS to hide communication to Command and Control (C2) servers to prevent being blocked by traditional firewalls and web protection. Instead, the information is hidden in DNS queries, which then appear as background DNS noise. This is a relatively new addition to the modules used by Trickbot—an indicator that, just like legitimate software companies, malware creators continue to improve the functionality of their toolset. The advisory does go on to list the domains used in these queries, as well as the IP addresses of the observed C2 servers used in the communications.

Once the bad actors decide to ransom the victim, they download Ryuk and execute on target systems. In this case, Ryuk has been observed using techniques such as enumerating files to encrypt, discovering which processes are running (likely to determine which malware defenses are in use), and then disabling the antimalware tools in use to evade detection. All of this is done to improve the likelihood of a successful encryption event and, by extension, the likelihood they will be paid. 

So what are the best defenses against such modern, multi-stage threats? As we have discussed in our boot camps, you’ll need multiple layers since each attack may start with a slightly different entry point, or make it further down the chain to the data, which is the primary target.

What you can do now

First, as with most attacks, the email and malicious website protection will provide protection as far away from the user and data as possible.

  • Ensure all anti-spam and anti-phishing protections are enabled.
  • Block all unnecessary file types in attachment filters. If your email protection solution allows you to block macros, you should do so, since many of these attacks start with a document with macros enabled to gain the first foothold on a system.
  • Double check that web protection is preventing access to known malicious websites and filtering questionable content.
  • Make users aware of the elevated risk. As mentioned, healthcare workers are being asked to do a lot these days, and if they are tired, they may fall prey to a malicious email more easily. Take the extra time to ensure they’re aware of the elevated threat levels.
  • Next, make sure your endpoint protection is up-to-date and functioning. Consider using an advanced endpoint protection solution like SolarWinds® Endpoint Detection and Response (EDR), as it is designed to detect the newer tactics and techniques used by malware creators.
  • Mass disabling of services and processes is a primary IoC at the beginning of an attack, so make sure you are looking for an increased number of services being disabled or stopped.
  • Having off-site or cloud-based copies of your backups will help ensure you can recover if you are hit with ransomware.
  • Consider blocking outbound DNS traffic to any DNS providers other than the ones your DNS infrastructure currently uses to prevent an infection from taking hold. At the very least, reference the list of DNS domains listed in the advisory and block outbound queries to those domains.
  • Review the Ransomware Guide created by CISA and MS-ISAC for best practices and a response checklist, to ensure you are prepared in case a customer is impacted.

Stay informed of the threat landscape

It would also be a good idea to sign up for updates from the National Cyber Awareness System Mailing List, as they tend to release and update information around active campaigns on a regular basis. Simply go to us-cert.cisa.gov, scroll to the bottom, and enter your email address. You can then choose which type of alerts to receive.

If you are supporting customers in the healthcare space, now is the time to make sure all your security is updated and functioning, back up your systems and data, and continue monitoring for suspicious behavior.

Let’s stay safe out there!

 

Gill Langston is head security nerd for SolarWinds MSP. You can follow Gill on Twitter at @cybersec_nerd

You might also like...
Security

February 2021 Patch Tuesday: Many “Exploitation More Likely” and an update to a Netlogon fix from last year
Automation

What the Head Nerds Were Up to in 2020
Security

January 2021 Patch Tuesday: One Actively Exploited Vulnerability and a Few Likely to Be
Security

December 2020 Patch Tuesday—A quiet(er) finish to a busy year in vulnerabilities
Security

National Computer Security Day—It’s Not Just About the Computer Anymore
Security

November 2020 Patch Tuesday Update: 111 CVE Numbers Addressed
Want to stay up to date?

Get the latest MSP tips, tricks, and ideas sent to your inbox each week.

Loading form....

If the form does not load in a few seconds, it is probably because your browser is using Tracking Protection. This is either an Ad Blocker plug-in or your browser is in private mode. Please allow tracking on this page to request a subscription.

Note: Firefox users may see a shield icon to the left of the URL in the address bar. Click on this to disable tracking protection for this session/site

Recent Posts
  • Three things I learned working for an MSP
  • Earning word-of-mouth referrals for your IT business
  • Backup automation part 1: Deploying backup devices
  • Ultimate Guide: MySQL Backup
  • Most common automation requests and how to solve them: Ep 2
Categories:
  • Security (240)
  • Tips & Advice (130)
  • Best Practices (97)
  • Backup & Disaster Recovery (96)
  • Managed Services (89)
  • The Head Nerds (82)
  • Business Growth (79)
  • IT Support (43)
  • Business (41)
  • Automation (40)
  • Operations (38)
  • Cybersecurity (37)
  • Mail (33)
  • Remote Management (30)
  • ITSM (26)
  • Networking (22)
  • Data (21)
  • Cloud Computing (21)
  • Marketing (15)
  • PSA (13)
  • Product (11)
  • Service Desk (6)
  • Services & Support (5)
  • Mobile (4)
  • Risk Intelligence (4)
  • GDPR (3)
  • Internet of Things (3)
  • Customer Service (3)
  • Research & Trends (2)
  • Training (2)
  • Business Risk (1)
  • LOGICcards (1)
  • Cybersecurity Awareness Month (1)
Show moreless
SolarWinds MSP

Products
  • SolarWinds RMM
  • SolarWinds N-central
  • SolarWinds Backup
  • SolarWinds EDR
  • SolarWinds MSP Manager
  • SolarWinds Mail Assure
  • SolarWinds Risk Intelligence
  • SolarWinds Take Control
  • SolarWinds Passportal
  • All Products Use Cases
Solutions
  • Security Solutions
  • Monitoring Solutions
  • Efficiency Solutions
  • Identify which RMM solution is right for me
  • Drive Efficiency with Automation
  • Manage my MSP Business More Efficiently
  • Manage my IT Department More Efficiently
  • Layered Security
  • Cross-Platform Support
  • Data-Driven Insights
About
  • About Us
  • Careers
  • Newsroom
  • Leadership Team
  • Upcoming Events
  • Subscription Preferences
  • SolarWinds
  • SolarWinds Trust Center
  • COVID-19 Response
Support
  • SolarWinds RMM
  • Solarwinds N-central
  • SolarWinds Backup
  • SolarWinds Mail Assure
  • SolarWinds Take Control
  • SolarWinds MSP Manager
  • Solarwinds Risk Intelligence
  • Solarwinds Threat Monitor
  • SolarWinds Passportal
  • SolarWinds Take Control Downloads
  • Backup & Recovery Downloads
  • Service Status

Footer 2

  • Legal Documents
  • Privacy
  • California Privacy Rights
  • Security Information
  • Sitemap

© SolarWinds MSP Canada ULC and SolarWinds MSP UK Ltd.
All Rights Reserved.