What to Do as Ryuk Ransomware Hits Healthcare and Manufacturing

Editor's note: CISO Mike Hamilton and Healthcare IT Expert Drex DeFord hosted an urgent panel discussion for IT/IS leaders on Monday, Nov 2. You can watch the webinar replay above.

Several healthcare organizations and at least one large manufacturing company became Ryuk ransomware victims this week. In light of that, Critical Insight is sharing some guidance with our customers, some of which we are posting publicly to prevent more breaches. Please read below:

From: Critical Insight
Sent: Wednesday, October 28, 2020
Subject: Ryuk Attacks

Good afternoon,

We are hearing from multiple channels that several hospitals have been hit by ransomware in what is sounding like a coordinated attack. We are hearing on DHS/FBI industry outreach channels that the number may be in the dozens.

The criminals

We know Ryuk is the ransomware strain that has hit at least one hospital, if it is involved in the other hits (which we believe to be likely given the reporting) this may well point to the “Wizard Spider” group, which is a known Russian ransomware operator. https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/

What the Critical Insight SOC is doing

The team in the Security Operations Center is working with our research team using the currently known IOCs (indicators of compromise) involved in this set of attacks. All known domains and IPs suspected in the Ryuk attacks are being crafted into specific alerts for the SOC. If we confirm an alert for your organization, we will contact you.

Here is an unconfirmed list that appears credible in the case that you would like to examine sources which Critical Insight may not have access to on your network: https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456

We suggest going through the list and add these to firewall and execution blocklists.

What you should do

Based on our experience, we believe some of the ransomware is spreading by email. We know ransomware also spreads through exposed infrastructure, remote access systems, and fileshare systems.

This is a time to batten down hatches and be on high alert. We advise:

1. Putting all systems into limited or restricted software execution mode if possible using trusted application “allow lists” such as AppLocker and Defender for Endpoint and enabling ransomware protection services built into Windows 10. (These can have detrimental effects on applications which need to write to the user profile directory and should be tested thoroughly before enabling on patient care systems.)
2. Paying special attention to the Zerologon vulnerability. Additional information suggests that at least 1 Ryuk Ransomware Gang is exploiting the Zerologon vulnerability for “lightning strikes.”
3. Ensuring firewalls are in full IPS and deep packet inspection mode with application restriction policies in place.
4. Enable Geoblocking/Geofiltering where possible, blocking internet traffic to regions you know you are not serving or doing business with.
5. Proactively create and promote a physical domain controller, then after it has replicated, disconnect it from the network and power it down.
6. Ensure offline backups and/or tape rotations are dismounted and ejected.
7. If file and data archival systems are not presently needed for operations, power them off and/or disconnect them from the network.
8. Be HIGHLY CAUTIOUS of any and all email and files received from outside networks and healthcare partners. Ensure all email is scanned and filtered, and that antivirus and ransomware countermeasures such as OS ransomware protection and EDR systems are in place, especially on systems which are exchanging files and data with third parties.
9. Ensure staff are prepared for paper-and-pencil fallback procedures in the event of a systems outage.
10. Tell staff to stop using personal email on any company device.

Security Awareness Training

Coincidentally, Critical Insight is offering free security awareness training every Friday at 12p PT. Please send anyone from your organization who would benefit. 

The email to our customers also gave a phone number for the SOC. If you’d like additional guidance from Critical Insight, you can contact us here.