Yesterday, US-CERT issued a joint warning from the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) to the healthcare industry regarding an elevated risk of ransomware attacks. In the brief, they disclosed that they had credible information regarding the threat of potentially severe ransomware attacks being imminent for hospitals and other healthcare-related services.
This is a particularly bad time for hospitals and healthcare to be at risk, because of the critical nature of the services offered during these concerning times. As a services provider, it’s important to give these critical organizations extra attention and vigilance to keep them running smoothly.
What you need to know
Generally, when an advisory like this gets released, the issuers have information indicating a targeted campaign from either nation-states or other organized bad actors, and these advisories are intended to notify organizations to maintain a higher state of vigilance. The advisory goes on to lay out some of the threat details for this campaign, including some Indicators of Compromise (IoCs) to watch for. Additionally, they map the Techniques, Tactics, and Procedures (TTP) used by the bad actors to the MITRE ATT&CK framework. As with many recent campaigns, this one has been observed using Trickbot and then secondary Ryuk components for the encryption stage. Finally, they offer guidance on what to do if you are impacted by a ransomware event.
What is the risk?
If you have attended one of my security boot camps, you are no doubt familiar with the Trickbot and Ryuk ransomware families and some of the kill chain components we review. Let’s talk about some of the techniques used in campaigns like these.
The first foothold is usually a well-crafted email tricking a user into clicking a document or providing credentials. This is where the first scripts run to install the Trickbot component.
At this stage of the infection, reconnaissance, harvesting of stored credentials, and lateral spread through the environment occurs. Trickbot uses legitimate applications to evade detection. This campaign has been observed using Anchor_DNS to hide communication to Command and Control (C2) servers to prevent being blocked by traditional firewalls and web protection. Instead, the information is hidden in DNS queries, which then appear as background DNS noise. This is a relatively new addition to the modules used by Trickbot—an indicator that, just like legitimate software companies, malware creators continue to improve the functionality of their toolset. The advisory does go on to list the domains used in these queries, as well as the IP addresses of the observed C2 servers used in the communications.
Once the bad actors decide to ransom the victim, they download Ryuk and execute on target systems. In this case, Ryuk has been observed using techniques such as enumerating files to encrypt, discovering which processes are running (likely to determine which malware defenses are in use), and then disabling the antimalware tools in use to evade detection. All of this is done to improve the likelihood of a successful encryption event and, by extension, the likelihood they will be paid.
So what are the best defenses against such modern, multi-stage threats? As we have discussed in our boot camps, you’ll need multiple layers since each attack may start with a slightly different entry point, or make it further down the chain to the data, which is the primary target.
What you can do now
First, as with most attacks, the email and malicious website protection will provide protection as far away from the user and data as possible.
- Ensure all anti-spam and anti-phishing protections are enabled.
- Block all unnecessary file types in attachment filters. If your email protection solution allows you to block macros, you should do so, since many of these attacks start with a document with macros enabled to gain the first foothold on a system.
- Double check that web protection is preventing access to known malicious websites and filtering questionable content.
- Make users aware of the elevated risk. As mentioned, healthcare workers are being asked to do a lot these days, and if they are tired, they may fall prey to a malicious email more easily. Take the extra time to ensure they’re aware of the elevated threat levels.
- Next, make sure your endpoint protection is up-to-date and functioning. Consider using an advanced endpoint protection solution like SolarWinds® Endpoint Detection and Response (EDR), as it is designed to detect the newer tactics and techniques used by malware creators.
- Mass disabling of services and processes is a primary IoC at the beginning of an attack, so make sure you are looking for an increased number of services being disabled or stopped.
- Having off-site or cloud-based copies of your backups will help ensure you can recover if you are hit with ransomware.
- Consider blocking outbound DNS traffic to any DNS providers other than the ones your DNS infrastructure currently uses to prevent an infection from taking hold. At the very least, reference the list of DNS domains listed in the advisory and block outbound queries to those domains.
- Review the Ransomware Guide created by CISA and MS-ISAC for best practices and a response checklist, to ensure you are prepared in case a customer is impacted.
Stay informed of the threat landscape
It would also be a good idea to sign up for updates from the National Cyber Awareness System Mailing List, as they tend to release and update information around active campaigns on a regular basis. Simply go to us-cert.cisa.gov, scroll to the bottom, and enter your email address. You can then choose which type of alerts to receive.
If you are supporting customers in the healthcare space, now is the time to make sure all your security is updated and functioning, back up your systems and data, and continue monitoring for suspicious behavior.
Let’s stay safe out there!
Gill Langston is head security nerd for SolarWinds MSP. You can follow Gill on Twitter at @cybersec_nerd