On October 28, 2020, the Cybersecurity and Infrastructure Security Agency (“CISA”), the Federal Bureau of Investigation (“FBI”) and the Department of Health and Human Services (“HHS”) coauthored an urgent cybersecurity advisory (the “CISA Alert”) describing the tactics, techniques and procedures (“TTPs”) used by cybercriminals against targets in the Healthcare and Public Health Sector (“HPH”) to infect systems with Ryuk ransomware for financial gain. Several health systems throughout the United States have recently become the targets of disruptive ransomware attacks, forcing them to divert patients to other health care providers, in what appears to be a critical escalation of previously reported cyber attacks on the health care industry.
Organizations in the health care and public health sectors should review this information carefully and take immediate steps to protect their networks against this imminent cyber threat.
Ryuk Ransomware Overview
Ryuk is a ransomware variant that has been targeting large organizations and governmental entities for high ransom payments, ranging from several hundred thousand dollars to millions of dollars. Ryuk targets enterprise environments, and typically encrypts backups before the ransom note is delivered. CISA, FBI and HHS have credible information that TrickBot, a banking trojan that also exfiltrates email, is being used to deliver Ryuk. The initial attack often occurs via phishing emails or through an open remote desktop protocol (“RDP”) port. This approach results in theft of personal data and credentials before the Ryuk ransomware encrypts the data and demands payment of the ransom. Ryuk attempts to delete all backup files and Volume Shadow Copies (automatic backup snapshots made by Windows), preventing the victim from recovering encrypted files without the decryption program.
Risk Mitigation Recommendations
For health care organizations, an attack of this nature can directly impact patient care and prevent health care providers from performing critical health care operations. Health care organizations should consider taking immediate action to secure their information technology networks, including:
- Actively monitoring network traffic for signs of unusual activity and indicators of data exfiltration.
- Conducting focused monitoring for evidence of TrickBot or Emotet. Specific Indicators of Compromise (“IOC”) have been identified, and HPH should watch carefully for the indicators of compromise as outlined in the CISA Alert is appropriate.
- Encrypting all data at rest and in transit to the greatest possible extent. Ryuk has been associated with exfiltration (download) of data for use in extorting payments.
- Regularly backing up data and maintaining backup copies securely offline.
- Ensuring that all applications and operating systems are updated and patched.
- Communicating to workforce members that they should be suspicious of all emails from an unknown source until further notice.
- Implementing filtering software to block suspicious emails.
- To the extent possible, disabling access ports such as RDP. Otherwise, require password updates (including for vendors) and monitor RDP/access logs.
- Remember that telemedicine and other remote monitoring/remote access capabilities are at risk; use multi-factor authentication, back-up systems, control access and monitor access logs.
If you believe that your organization may be infected, you should consider taking the following steps to mitigate the scope and impact of the incident:
- Continuously monitor your organization’s network in order to rapidly identify and isolate affected computers. Work with IT staff to identify the best immediate response to an apparent infection. Often, this will be to remove affected computers from the network as soon as possible.
- Educate your workforce on immediate steps to take if they believe their computer is infected. This may include describing the steps to isolate computers from the network safely and calling a “stat” Help Desk number that bypasses the normal call queue to avoid delays in notifying IT security. Consider providing a step-by-step process that can be printed out and kept at the workstation so that it is available when computers are not functional, so that staff do not have to try to remember the steps.
- Predefine network segments, IT capabilities and other functionality that can either be quickly separated from the enterprise network or shut down entirely without impacting operations of the rest of the IT infrastructure.
- Evaluate and be prepared to implement the use of alternative communications. Ryuk threat actors will have likely compromised your organization’s email system and could be listening in. Develop an alternative communication system that is secure.
- Access a skilled forensics team. Understanding what malware is involved, and where the threat actors have moved, is critical. Use of a skilled third-party forensic team gives you the best possible view of what actually happened on your network and systems during the incident.
- Contact experienced legal counsel to guide you through the various legal implications involved in an incident of this nature.
- Consider working with law enforcement. Law enforcement has probably already worked with victims of a similar attack and may have valuable perspective regarding how the attack will unfold.
- Either stand up a clean computer system or reimage the infected system. Be very, very careful if you bring old data onto the new system; you may simply re-infect the system.
- Reset passwords. All of them, domain and local, including applications that don’t appear to have been compromised.
Hall Render attorneys are monitoring updates as this cyber threat continues to escalate across the healthcare industry. If you have any questions or would like more information on this topic, please contact:
- Melissa Markey at (248) 310-4876 or mmarkey@hallrender.com;
- Mark Swearingen at (317) 977-1458 or mswearingen@hallrender.com;
- Cory Brennan at (317) 429-3614 or cbrennan@hallrender.com; or
- Your regular Hall Render attorney.
Hall Render blog posts and articles are intended for informational purposes only. For ethical reasons, Hall Render attorneys cannot—outside of an attorney-client relationship—answer specific questions that would be legal advice.
