Ryuk Ransomware taking on human lives and impacting our healthcare
Ransomware attacks on hospitals and health care companies are growing deadlier by the day. August 2020 saw the first recorded fatality in Germany when a ransomware attack on a hospital resulted in a patient’s death because the facility had to shut-down and turn-away patients.
Hospitals and the health care industries have long been a target for ransomware groups as they cannot afford downtime, especially while dealing with a pandemic. Data, information, and records are sacrosanct at a hospital without which they can’t function or provide treatment to their patients.
Secondly, keeping pace with cybersecurity is low in this industry as security staffing and expertise are limited. With the broadest set of diverse systems, devices, and applications to manage very few hospitals can fully-validate business continuity or contingency plans for a ransomware attack. These systems are all critical and need to be continuously running, factors make the chances of a ransom pay-out high – undoubtedly a fact that motivates threat actors like Ryuk.
Early this month, Universal Health Services was attacked by Ryuk, leading to a shutdown of their entire network (250 hospitals in the US). Emboldened by this attack, it is now known that Ryuk is planning to strike at hundreds of hospitals, clinics, and health care facilities in the US.
Security Agencies CISA (Cybersecurity and Infrastructure Security Agency), FBI, and the Department of Health and Human Services (HHS) have issued a high alert joint security advisory to hospitals to take actions to secure themselves from Ryuk ransomware in particular.
The advisory also warns hospitals about malware (TrickBot and BazarLoader) used by Ryuk to deliver the ransomware and the IoCs to check whether your hospital has been compromised.
Known as one of the largest botnets globally, TrickBot is a banking trojan that has evolved into an all-purpose malware downloader distributing malware, stealing credentials, emails, and spreading the ransomware Ryuk.
BazarLoader malware is typically deployed through phishing emails with links to google drive documents controlled by threat actors. These emails are dressed up to resemble legitimate communications from an employer or a contact.
The advisory also lists Indications of Compromise (IoC) to check whether your hospital’s systems have been affected by this malware but we believe that they may be of little or no use if Ryuk has already compromised your network.
TrickBot and BazarLoader are malware instances that are uniquely customized to target their victims. Therefore, the only solution to escape them is to patch the vulnerabilities that Ryuk targets.
Interestingly, all the CVEs found associated with Ryuk are older vulnerabilities ranging from 2017 to mid-2019. Of these, CVE-2018-20685, CVE-2017-0147, CVE-2019-6109, CVE-2019-6110, and CVE-2019-6111 have low CVSSv2 and CVSSv3 scores – which is why they fly under the radar and would not be prioritized for a fix by security teams. It is important to focus on vulnerabilities that are weaponized rather than just the CVSS scores.
Ransomware attacks on the healthcare industry, especially, during a pandemic is a dangerous assault on many counts. It not only puts a strain on the health workers but also disrupts and delays patient treatment programs which can have deadly repercussions.
To protect against Ryuk we recommend the following actions –
- Use advanced anti-ransomware solution and maintain an updated antivirus solution
- Combine ransomware detection tools with your backup. This will help in detecting ransomware infection and help in faster recovery from the backup
- Patch the vulnerabilities that exist in your network
- Initiate continuous cyclical vulnerability management process
- Backup the data in a remote location
- Have an incident recovery and business continuity plan in place
- Spread awareness about cybersecurity and ransomware attacks
Table 1: CVEs exploited by Ryuk Ransomware & their Patches
Ryuk MITRE ATT&CK Tactic
| ATT&CK Tactic Category | Techniques |
| Privilege Escalation | T1134 – Access Token Manipulation |
| Persistence |
T1547 – Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder T1059 – Command and Scripting Interpreter: Windows Command Shell |
| Impact |
T1486 – Data Encrypted for Impact T1490 – Inhibit System Recovery T1489 – Service Stop |
| Discovery |
T1083 – File and Directory Discovery T1057 – Process Discovery T1016 – System Network Configuration |
| Defense Evasion |
T1562 – Impair Defenses: Disable or Modify Tools T1036 – Masquerading: Match Legitimate Name or Location T1055 – Process Injection |
| Execution | T1106 – Native API |