Post by Kobi Rubin, VP of Data and Analytics & Jamison Utter, Director of Product Evangelism.
On October 28, 2020, the FBI in conjunction with the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) published an alert AA20-302A which details a credible threat from cybercriminals working to directly target the Healthcare and Public Health Sectors leveraging the Trickbot malware family to launch the ransomware Ryuk.
Ransomware poses a serious threat to clinical environments, as we saw in the attack suffered by German at Düsseldorf University Hospital. In fact, 40% of hospitals report being affected by WannaCry. The implications to healthcare go much further than typical IT equipment, where medical device behavior, reporting, and even sometimes the devices themselves may be altered, rendered inoperable, or worse work in erratic fashion.
In some cases, ransomware may affect the system managers, monitoring stations, or gateways that translate traffic and in other cases the ransomware may affect the devices themselves by damaging or infecting them.
It is critical that Healthcare and Public Health Sector organizations build robust and properly defended clinical environments that are as CyberSafe as they are Physically clean and isolated. The Medigate Device Security Platform (MDSP) is an integral part of building an outcome centric approach to securing clinical environments.
With the flurry of communications about Ryuk threat over the last 24 hours, we wanted to make sure you know that your MDSP has tools and resources to help you implement the steps outlined by CISA to mitigate your risk.
Industry recommendations and MDSP responses:
1. Add all known IOCs (domains and Ips) suspected in Ryuk attacks to blacklists.
The MDSP will alert you on communications with malicious IPs associated with Ryuk attacks.
2. Disable unused remote access/Remote Desktop Protocol (RDP – port 3389) ports and unnecessary SMB communication (Port 445) on system whenever possible. Threat actors often gain initial access to a network through exposed and poorly secured remote services and use SMB to propagate malware across organizations.
The MDSP understands IoMT communications. With its advanced filtering capabilities, you can identify devices that are communicating externally and block that block those that are suspicious.
3. Keep your systems up-to-date with the latest patches available from vendors. Also, paying special attention to the Zerologon vulnerability (CVE-2020-1472). Additional information suggests that at least 1 Ryuk Ransomware Gang is exploiting the Zerologon vulnerability for “lightning strikes.”
With the MDSP vulnerability mapping, you can identify any device with an alert notification so you know which devices to prioritize for patching.
4. Segment your network to contain risks – Consider segmenting and isolating potentially affected devices or critical devices to minimize the impact an exploit of one of the vulnerabilities could have on your data and operations.
The MDSP recommends clinically vetted segmentation policies, based on device type and function on the device page of the platform. You can use that information for microsegmenting your devices to best limit your risk exposure.
We have consolidated some additional published resources about Ryuk for you and included them below to help simplify your research.
- Ransomware Activity Targeting the Healthcare and Public Health Sector
- National Cyber Security Center: Ryuk ransomware targeting organisations globally
- US Cert Alert (TA18-201A) Emotet Malware
- Ryuk ransomware explained: A targeted, devastatingly effective attack
- Addressing Threats Like Ryuk via Trend Micro XDR
- Human-operated ransomware attacks: A preventable disaster
If you have any questions or would like additional help, contact us.