Ryuk Ransomware Group Targets US Healthcare System
In late October 2020, cybersecurity researchers monitoring common online forums frequented by cybercriminals were tipped off to an impending ransomware attack against the U.S. healthcare system. A group of cybercriminals affiliated with the Ryuk ransomware variant were discussing plans to attack over 400 US healthcare organizations.
That same week, the U.S. government, including representatives from the FBI, DHS, and HHS took steps to warn organizations about the impending threat. This included hosting a conference call which warned participants about the threat and advised them to apply patches to vulnerable systems and to report any potentially suspicious activity. Later, these agencies issued a joint alert about the threat.
The challenge with protecting against Ryuk is that typical methods of malware detection, such as malware signatures and indicators of compromise (IoCs), are ineffective. Ryuk commonly uses unique variants and malware for each attack campaign specifically to evade these types of countermeasures. As a result, the best way to protect against Ryuk is to deny the malware access to an organization’s environment by closing potential infection vectors; an approach that is in-line with the advice provided by the FBI, DHS, and HHS regarding applying patches.
Ransomware Attacks on Healthcare Is a Significant Threat
The forewarned attack against hundreds of different US healthcare providers never occurred. This could have been caused by a number of different factors, including successful blocking of potential attack vectors by U.S. healthcare organizations or the potential attackers deciding to cancel or delay their attack due to the increased (and unwanted visibility).
However, this is not to say that ransomware does not pose a significant and ongoing threat to healthcare’s ability to operate. In the first half of 2020, at least forty-one healthcare organizations reported successful ransomware attacks. In the week of October 26th alone (the week in which the potential Ryuk campaign was expected to occur), at least five ransomware campaigns were publicly reported.
Mitigating the Threat of Ransomware in Healthcare
The healthcare sector is particularly vulnerable to ransomware attacks for a few key reasons.
- Hospitals tend to operate vast amounts of legacy systems that can be easily exploited, making them key targets to hackers.
- Historically, hospitals have not had the budgets to invest in cyber-specific resources, such as cybersecurity professionals and cyber awareness training for users. Their budgets also have not included strategic investment for the deployment and implementation of appropriate security technology solutions.
- The healthcare sector is regularly targeted by cybercriminals seeking to take advantage of its critical infrastructure status, especially during the COVID-19 pandemic.
Protecting against ransomware attacks can be difficult as these campaigns have grown more targeted and sophisticated over recent years. Some best practices to mitigate the threat of ransomware include:
- Update and Patch: Unpatched vulnerabilities provide a vector for ransomware to access and infect systems. Promptly installing updates can help to close these gaps before an attacker can exploit them.
- Train Employees: Phishing is one of the main delivery mechanisms for ransomware. Training employees to recognize and properly respond to these emails is a crucial part of ransomware prevention.
- Monitor Valuable Data: Ransomware’s success depends on its ability to encrypt data that is of value to an organization. Monitoring access to systems containing valuable data can help to detect potential ransomware attacks early on.
- Implement Zero Trust: Cybercriminals are increasingly using compromised credentials and remote access tools like RDP to install malware. Limiting employees’ access to corporate systems to the permissions required for their role makes it more difficult for attackers to access and encrypt valuable data.
- Make Frequent Backups: Ransomware is designed so organizations pay to have restored access to their data. If an organization can restore from a back up, then the impact of the attack is decreased.
- Perform Security Assessments: Most organizations have gaps in their cybersecurity that attackers can exploit. Proactive security assessments can help to find and close these holds before attackers can take advantage of them.