LIFARS Incident Response Team (LISIRT) is observing a heavy increase in Ryuk Ransomware activity in the healthcare sector, especially in last few weeks. Cybersecurity community is estimating that approximately 30 companies are hit with this ransomware strain every day. The group behind Ryuk has been targeting high-profile companies like Universal Health Services, Sopria Steria, US Coast Guard, Wall Street Journal and New York Times to name a few. This particular ransomware has been targeting enterprise environments since August 2018. LISIRT incident responders were seeing ransom demands ranging from 1 million to 8 million dollars.
Ryuk in the Healthcare Sector
It is very unsettling, that currently in the covid-19 era the most targeted sector is the healthcare sector. Even though several ransomware gangs made claims to not target healthcare due to its importance today, not many have stood by their word. But with Ryuk, the situation is somewhat different. It almost seems like they are trying to cause as much damage as possible by targeting hospitals, that are already hanging by a thread.
During previous week and especially weekends, LISIRT has responded several times to late night calls from undisclosed hospitals in Tri-state area. In these hectic times, it is easy for a user to fall prey to a well-crafted phishing email and download an innocently looking spreadsheet with malicious macro. Enabling it causes a domino effect ultimately resulting in the compromise of the crown jewels of every Windows-based network – the domain controllers. After that, the attackers propagate the ransomware itself to all machines in the domain, encrypting valuable data needed for the IT infrastructure to operate.
We published a case study of a recent engagement where RYUK ransomware coupled with the Zbot/Zloader embedded in an Excel macro made up for a deadly combo. Download the case study do see findings from our digital forensics analysis and additional IoCs.
Ryuk’s Motivation
Why is the GRIM SPIDER (also called Wizard Spider), the Russia-based group behind Ryuk, targeting US hospitals with such rigor? The cybersecurity community can only speculate, but there are some clear precursors to these vicious attacks threatening the health of US citizens.
On October 19, 2020, US Department of Justice has released an indictment of six Russian GRU officers charged with destructive malware deployment and other disruptive actions in cyberspace. These individuals are associated with a group known by the names Sandworm Team, Telebots, Voodoo Bear, and Iron Viking. They were allegedly responsible for notoriously famous attacks, such as NotPetya, the Ukraine’s electric power grid outages, French elections spearphishing campaigns, 2018 PyeongChang Winter Olympic Games intrusions, etc. These individuals are now exposed for everyone to see.
Furthermore, FBI has declassified the “Operation Ghost Stories”, that discloses the identities of Russian spies that assimilated into day-to-day American life. This operation was probably the largest FBI counterintelligence investigation in history and took more than a decade to complete. And now, these criminals are exposed.
Conclusion
Many sources claim that these attacks can be a retaliation to the actions that US government took to uncover the identities of these individuals whose lives are now probably in danger. Can ransomware attacks have the power to endanger lives of US citizens in return? The recent case of ransomware crippling the network of a German hospital resulting in the death of a patient demonstrates that they can. And the heavy increase of Ryuk ransomware in the healthcare sector may indicate that it has already started. The time has come to prepare for the worst. LISIRT is expecting these attacks to continue for the foreseeable future. Therefore, it is of paramount importance to harden the defenses of our healthcare sector and make sure that it has strong and skilled digital forensics and incident response professionals at their disposal.
Indicators of Compromise (IoCs)
URLs:
http://23.82.189.1:428
boys86.com
dacyclin.com
fepami.com
xnxxfullhd.com/wp-admin/NAK/
www.business-management-degree.net/wp-snapshots/W/
homestay.design/wordpress/M/
csc-comunity.com/wp-admin/6DW/
IP Addresses:
23.82.189.1
23.82.185.95
173.234.155.220
103.109.78.174
23.82.185.98
167.114.153.111
177.190.69.162
195.123.240.113
213.32.84.27
185.99.2.243
85.204.116.173
5.182.211.223
45.89.125.148
75.188.96.231
173.68.199.157
59.148.253.194
72.10.36.104
MD5:
17a651a033561a9bdc52d87d23af9ca8
dbb0348f6b13b3f1713350489c35afce8e96426c
c75cd58fcc16fc53df4cd83991f9a852ae683699b585737214e6c5e9df76eb18
Phishing sender email:
stome@costasul.net.br
