Surge in Ryuk ransomware attacks has hospitals on alert

Healthcare organisations across the world are in a state of high alert after a surge in reported Ryuk ransomware attacks, orchestrated by the Russia-based Wizard Spider advanced persistent threat (APT) group, prompted multiple investigations and fresh warnings in the US.

The FBI is understood to be investigating attacks against hospitals in several states, with doctors reporting via Reuters that they are being forced to rely on pen and paper, with others having to divert patients to alternative facilities. Alongside the US’s Cybersecurity and Infrastructure Security Agency (CISA), it conducted, on 28 October, a conference call with healthcare sector leaders to explicitly warn them about Ryuk.

Charles Carmakal, senior vice-president and CTO of Mandiant, said that by actively targeting the health sector during a pandemic, Wizard Spider was demonstrating a clear disregard for human life. He described the group as “one of the most brazen, heartless and disruptive threat actors I’ve observed” and said that as hospital capacity becomes more strained during the second wave of Covid-19, the danger was likely to increase.

Sam Curry, chief security officer at Cybereason, added: “Cybereason is well versed in the Ryuk crime gang and their actions in previous years to deploy ransomware around the world. The Ryuk crime group has laid a path of destruction around the world, victimising companies in many industries and stealing money and sensitive information.

“When you compare the number of hospitals and health systems facing possible threats, the risk is many times greater than 2017’s global WannaCry ransomware attack and the potential devastation is insurmountable.”

Tom Kellerman, head of cyber security strategy at VMware Carbon Black and a former cyber commissioner under the Obama administration, theorised that Wizard Spider was attacking hospitals as retaliation for the disruption caused to the Trickbot botnet it uses to deliver Ryuk.

Ryuk is a relatively young ransomware, first spotted in 2018, but has surged during 2020, according to statistics provided by SonicWall’s Capture Labs, which has booked 67.3 million Ryuk attacks in 2020, one-third of all ransomware incidents so far this year.

Dmitriy Ayrapetov, vice-president of platform architecture at SonicWall, said: “The increase of remote and mobile workforces appears to have increased its prevalence, resulting not only in financial losses, but also impacting healthcare services with attacks on hospitals.

“Ryuk is especially dangerous because it is targeted, manual and often leveraged via a multi-stage attack preceded by Emotet and TrickBot malware. Therefore, if an organisation has Ryuk, it’s a pretty good indication that its infested with several types of malware.”

Once Wizard Spider has access to its target network, has conducted reconnaissance and established the persistence it needs to drop Ryuk, the ransomware uses AES-256 to encrypt files and an RSA public key to encrypt the AES key. A .bat file is also dropped that will try to delete backup files and stop the victim from getting their files back without the needed decryption program.

It will also try to shut down or even uninstall local cyber security tools that might stop Ryuk from executing – which, according to the CISA, is usually done via an automated script, although there appears to be a manual failsafe should that not work.

A file named RyukReadMe placed on the system will then direct the victim to a Protonmail email account to contact the attackers – earlier versions had made a specified ransom demand at this point, but Wizard Spider now only does this after contact is made. The victim will then be directed to make a payment to a bitcoin wallet in order to obtain the decryption program and will typically be provided with a “free sample” of two files.

The CISA said it suspected the RyukReadMe file does not necessarily need to be present for the decryption script to run properly, but other observers have suggested some files do not decrypt properly without it and, even if it is run correctly, there is of course no guarantee that it will be effective. Things become more complicated because the RyukReadMe file is deleted after the script runs.

In the UK, NHS Digital publishes regular cyber security alerts and advisories for its users online, but at the time of writing had not yet published any explicit information relating to the impact to the NHS from Ryuk. Although there is no question that it presents a highly credible threat, Computer Weekly understands that there has not been any significant escalation in attacks in the UK at the time of writing.

An NHS Digital spokesperson said: “We are aware of escalating activity against the US health sector and we are monitoring the situation in England in partnership with colleagues in the National Cyber Security Centre.”

Further guidance on mitigating malware and ransomware attacks is available from the National Cyber Security Centre (NCSC), which also has more specific guidance on Ryuk itself.

An NCSC spokesperson said: “Cyber security is a global issue that requires a collaborative international effort to make us the hardest possible target for our adversaries.

“The NCSC is committed to protecting our most critical assets and the health sector is a top priority.

“Ransomware is a significant cyber risk and we continue to work closely with government and the NHS to ensure that we are taking all available measures to counter the threat.”

Besides keeping safe, offline backups of critical data, taking steps to defend systems from malware, and bearing in mind that paying a ransom guarantees nothing, the NCSC’s advice on mitigating the impact of Ryuk and other ransomwares is to: keep devices and networks patched and up to date; maintain up-to-date allow and deny lists for applications to stop malicious programs running; use antivirus software and consider use of a cloud-backed product for up-to-date analysis and intelligence; use URL reputation services to detect malicious websites; implement network segmentation to limit opportunities for lateral movement and keep critical assets separate; protect the management interfaces of critical operational systems; set up monitoring services; refresh and review incident management policy; and layer phishing defences, treating staff as the first line of defence.

Cybereason’s Curry said there were no more excuses for healthcare organisations not to protect themselves.

“It’s time to practise cyber hygiene alongside medical hygiene,” he said. “Plan to be resilient, so you can spring back from any damage. If healthcare computer networks are taken offline, patient care will be stalled and lives could literally be at stake. While no wide-scale ransomware attacks have so far been confirmed, the potential risks are real as healthcare providers are part of the country’s critical infrastructure.

“Cyber terrorists are raising the bar and the ability of healthcare providers to defend against these possible ransomware attacks could be a matter of life and death.”