The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) released a joint cybersecurity advisory yesterday evening regarding ransomware activity targeting the Healthcare and Public Health (HPH) Sector.
PYA recommends that all HPH Sector organizations increase their email threat awareness by immediately sending out alerts to all employees.
Key Findings
CISA, the FBI, and HHS assess that malicious cyber actors are targeting the HPH Sector with TrickBot malware, often leading to ransomware attacks, data theft, and the disruption of healthcare services.
These issues will be particularly challenging for organizations during the COVID-19 pandemic; therefore, administrators will need to balance this risk when determining their cybersecurity investments.
Technical Details
TrickBot Trojan
TrickBot began as a banking trojan and has evolved to provide a multitude of tools to cyber attackers, including: credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and most importantly, the deployment of ransomware, namely Ryuk.
Ryuk Ransomware
Ryuk is typically deployed as a payload from trojans such as TrickBot. Ryuk actors use native tools, such as PowerShell, Windows Management Instrumentation (WMI), Windows Remote Management, and Remote Desktop Protocol (RDP) to move throughout the network. Once in place, Ryuk uses AES-256 to encrypt files and an RSA public key to encrypt the AES key. A file is dropped that attempts to delete all forms of backup files to prevent the organization from restoring a backup instead of paying a ransom for its data. The attackers will also attempt to delete any security applications that will prevent the ransomware from running.
Ransom
The attackers use an encrypted email system, Protonmail, to contact the organization and request the ransom. The organization is instructed of the amount to pay via a Bitcoin Wallet for the decryptor and is provided a sample copy of two decrypted files for proof of decrypted data.
CISA, the FBI, and HHS do not recommend paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.
Mitigation
CISA, the FBI, and HHS encourage HPH Sector organizations to maintain business continuity plans—the practice of executing essential functions through emergencies (e.g., cyberattacks)—to minimize service interruptions. Without planning, provision, and implementation of continuity principles, organizations may be unable to continue operations. Evaluating continuity and capability will help identify continuity gaps. Through identifying and addressing these gaps, organizations can establish a viable continuity program that will help keep them functioning during cyberattacks or other emergencies. CISA, the FBI, and HHS suggest HPH Sector organizations review or establish patching plans, security policies, user agreements, and business continuity plans to ensure they address current threats posed by malicious cyber actors.
Organizations should regularly back up data, air gap, and password protect backup copies offline. Recovery plans should include plans to maintain multiple copies of sensitive data and servers in a separate and secure physical location.
We’re Here to HELP
If you see a suspicious email, you should contact your IT department immediately. Do not open, click, or download anything within the email.
If you have any concerns regarding the risks your organization may face with regard to compromised business emails or phishing attacks, we are happy to discuss how we can help you reduce those risks.
As always, we are here to help should you experience an unfortunate event. If we can be of service or evaluate anything deemed suspicious, contact a PYA executive below at (800) 270-9629.
