LIFARS Incident Response Team (LISIRT) is observing a heavy increase in Ryuk Ransomware activity in the healthcare sector, especially in last few weeks. Cybersecurity community is estimating that approximately 30 companies are hit with this ransomware strain every day. The group behind Ryuk has been targeting high-profile companies like Universal Health Services, Sopria Steria, US Coast Guard, Wall Street Journal and New York Times to name a few. This particular ransomware has been targeting enterprise environments since August 2018. LISIRT incident responders were seeing ransom demands ranging from 1 million to 8 million dollars.
Ryuk in the Healthcare Sector
It is very unsettling, that currently in the covid-19 era the most targeted sector is the healthcare sector. Even though several ransomware gangs made claims to not target healthcare due to its importance today, not many have stood by their word. But with Ryuk, the situation is somewhat different. It almost seems like they are trying to cause as much damage as possible by targeting hospitals, that are already hanging by a thread.
During previous week and especially weekends, LISIRT has responded several times to late night calls from undisclosed hospitals in Tri-state area. In these hectic times, it is easy for a user to fall prey to a well-crafted phishing email and download an innocently looking spreadsheet with malicious macro. Enabling it causes a domino effect ultimately resulting in the compromise of the crown jewels of every Windows-based network – the domain controllers. After that, the attackers propagate the ransomware itself to all machines in the domain, encrypting valuable data needed for the IT infrastructure to operate.
We published a case study of a recent engagement where RYUK ransomware coupled with the Zbot/Zloader embedded in an Excel macro made up for a deadly combo. Download the case study do see findings from our digital forensics analysis and additional IoCs.
Why is the GRIM SPIDER (also called Wizard Spider), the Russia-based group behind Ryuk, targeting US hospitals with such rigor? The cybersecurity community can only speculate, but there are some clear precursors to these vicious attacks threatening the health of US citizens.
On October 19, 2020, US Department of Justice has released an indictment of six Russian GRU officers charged with destructive malware deployment and other disruptive actions in cyberspace. These individuals are associated with a group known by the names Sandworm Team, Telebots, Voodoo Bear, and Iron Viking. They were allegedly responsible for notoriously famous attacks, such as NotPetya, the Ukraine’s electric power grid outages, French elections spearphishing campaigns, 2018 PyeongChang Winter Olympic Games intrusions, etc. These individuals are now exposed for everyone to see.
Furthermore, FBI has declassified the “Operation Ghost Stories”, that discloses the identities of Russian spies that assimilated into day-to-day American life. This operation was probably the largest FBI counterintelligence investigation in history and took more than a decade to complete. And now, these criminals are exposed.
Many sources claim that these attacks can be a retaliation to the actions that US government took to uncover the identities of these individuals whose lives are now probably in danger. Can ransomware attacks have the power to endanger lives of US citizens in return? The recent case of ransomware crippling the network of a German hospital resulting in the death of a patient demonstrates that they can. And the heavy increase of Ryuk ransomware in the healthcare sector may indicate that it has already started. The time has come to prepare for the worst. LISIRT is expecting these attacks to continue for the foreseeable future. Therefore, it is of paramount importance to harden the defenses of our healthcare sector and make sure that it has strong and skilled digital forensics and incident response professionals at their disposal.
Indicators of Compromise (IoCs)
Phishing sender email: