FBI: Hospitals and healthcare providers face imminent ransomware threat

The FBI warns of a threat against the healthcare sector from Ryuk ransomware, and one that's already affected some hospitals.

Computer security and hacking concept. Ransomware virus has encrypted data in laptop. Hacker is offering key to unlock encrypted data for money.

Image: vchal, iStockphoto

As the coronavirus started to spread earlier this year, a few ransomware gangs promised to leave hospitals and healthcare facilities alone so they could focus on battling the pandemic. So much for those promises. In fact, the healthcare industry continues to be a prime target for ransomware, so much so that the FBI and two other government agencies are now warning this sector of impending attacks using the infamous Ryuk ransomware.

SEE: Ransomware: What IT pros need to know (free PDF) (TechRepublic) 

In a joint advisory published Wednesday, the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) said they have credible information of an increased and imminent threat to U.S. hospitals and healthcare providers.

Specifically, cybercriminals are targeting the Healthcare and Public Health sector (HPH) with Trickbot malware in an attempt to carry out ransomware attacks, steal data, and disrupt healthcare services. Security experts report that this latest attack has already hit at least four hospitals and could affect hundreds more.

Initially created as a banking trojan, Trickbot has evolved into a full set of tools designed to carry out a range of illegal activities. The malware is now capable of such actions as credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and the deployment of ransomware such as Ryuk. In this new reported threat, attackers are using different tools to compromise networks and data, with Ryuk acting as the coup de grace.

Cybercriminals typically will steal credentials using such commercial products as Cobalt Strike and PowerShell Empire. From there, they will scope out the network to determine the lay of the land, often using built-in operating system commands such as net view, net computers, and ping to find mapped network drives, domain controllers, and active directory installations.

SEE: The 5 biggest cybersecurity threats for the healthcare industry (TechRepublic)

To move laterally across the network, the attackers will again turn to built-in tools such as PowerShell, Windows Management Instrumentation (WMI), Windows Remote Management, and Remote Desktop Protocol (RDP).

After the Ryuk payload launches, the targeted files are encrypted using AES-256 and an RSA public key to encrypt the AES key. Ryuk then drops a .bat file to delete all backup files and shadow copies to stop the victim from recovering the encrypted files.

Further, the attackers attempt to shut down or remove any security software that could keep the ransomware from running. A RyukReadMe file placed on the infected system provides one or two email addresses through which the victim can contact the attacker. To keep the victims guessing, the ransom amount is revealed only after the initial contact is made. The victims are then instructed on how much to pay to a specific Bitcoin wallet.

"In the case of making money, ransomware is a key focus for cybercriminals," Heather Paunet, senior VP at Untangle, told TechRepublic. "When cyber attackers see that key healthcare businesses pay the ransom, they see the enormous potential of getting rich without caring about the damage they may do. As healthcare organizations pay ransoms and the large dollar amounts they pay are highlighted in the news, this becomes an indication that this is a sector that is willing to pay."

In the advisory, the FBI and the other agencies offered advice for healthcare facilities to guard against ransomware.

  • Regularly back up data, air gap, and password protect backup copies offline.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.
  • Focus on awareness and training. Because end users are targeted, make employees and stakeholders aware of the threat, such as ransomware and phishing scam, and how they are delivered. Additionally, provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.
  • Ensure that employees know whom to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently.

Hospitals and healthcare providers have also lagged behind traditional businesses in adopting the latest and most advanced security technologies.

SEE: Cybersecurity: Let's get tactical (free PDF) (TechRepublic)

"The healthcare services have an outdated approach to security awareness, education, and training," Daniel Norman, senior solutions analyst at the Information Security Forum, told TechRepublic. "The safety and well-being of patients has historically been the top priority, so this mindset needs to translate into the security of systems and devices that will underpin the lives of many. Basic cyber hygiene standards need to be met, covering patching and updates, network segmentation, network monitoring, and hardening, especially for technologies such as (artificial intelligence) AI, robotics, and (Internet of Things) IoT devices."

Security expert and CISO of Unisys Mat Newfield also shared the following tips on combatting ransomware:

  • The two most critical things to do in order to prevent a ransomware breach is to ensure systems are always up to date with patches and you continue to focus on user education with regards to phishing and its variants such as SMSishing and vishing.
  • Understanding that exploitation is inevitable will allow security leaders to put tools and programs in place to not focus on prevention, but on rapid response instead.
  • Micro-segmentation and zero-trust concepts need to be at the center of your cyber programs to minimize the impact of a ransomware attack.
  • Many healthcare organizations suffer from the continued use of legacy and end-of-life (EOL) systems that are highly susceptible to compromise.
  • Rapid response and active monitoring are a must for healthcare and any other organization.
  • Multi-factor authentication platforms and techniques can significantly slow or ultimately stop widespread infection due to a ransomware attack. 

Further, the FBI advisory contains guidelines for hospitals that may have already been affected by these new attacks. Security administrators who have seen signs of a Trickbot network infection should immediately back up and secure sensitive data and network devices. Upon evidence of an infection, administrators should also review their DNS logs and "use the XOR key of 0xB9 to decode XOR encoded DNS requests." That action could then reveal the presence of Anchor_DNS, a variant of TrickBot that communicates exclusively over DNS.

"Staff shortages, lack of medicine, hospital beds, and personal protective equipment have pushed the healthcare services to breaking point," Norman said. "In addition to these clear operational concerns, threats from the cyber domain remain apparent, invasive, and in some cases, deadly. Over the coming years, these security threats will continue to accelerate around the world over as far more invasive and automated technology makes its way into the operating room and in some cases, the human body. Attackers will once again turn their attention to disrupting the health service by targeting poorly secured devices and systems, which will now start to have severe ramifications for human life."

Also see