Malicious cyber actors are targeting the health cares sector with TrickBot and BazarLoader malware. This is resulting in ransomware attacks, data theft, and the disruption of critical healthcare services. Cybercriminals disseminate TrickBot and BazarLoader via phishing campaigns that contain either links to malicious websites that host the malware or attachments with the malware. Loaders start the chain by distributing the payload; they deploy and execute the backdoor from the command and control (C2) server and install it on the victim’s machine.
What is TrickBot?
What began as a banking trojan and descendant of Dyre malware, TrickBot now provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. These activities include credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and the deployment of ransomware, such as Ryuk and Conti.
What is Ryuk Ransomware?
Typically Ryuk has been deployed as a payload from banking Trojans such as TrickBot. Ryuk first appeared in August 2018 as a derivative of Hermes 2.1 ransomware, which first emerged in late 2017 and was available for sale on the open market as of August 2018.
Ryuk still retains some aspects of the Hermes code. For example, all of the files encrypted by Ryuk contain the
HERMES tag but, in some infections, the files have
.ryk added to the filename, while others do not. In other parts of the ransomware code, Ryuk has removed or replaced features of Hermes, such as the restriction against targeting specific Eurasia-based systems.
Ryuk uses the ATT&CK techniques listed in table 1.
|Enterprise||T1134||Access Token Manipulation||Ryuk has attempted to adjust its token privileges to have the SeDebugPrivilege.|
|Enterprise||T1547||0.001||Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder|
|Enterprise||T1059||0.003||Command and Scripting Interpreter: Windows Command Shell|
|Enterprise||T1486||Data Encrypted for Impact||Ryuk has used a combination of symmetric (AES) and asymmetric (RSA) encryption to encrypt files. Files have been encrypted with their own AES key and given a file extension of .RYK. Encrypted directories have had a ransom note of RyukReadMe.txt written to the directory.|
|Enterprise||T1083||File and Directory Discovery||Ryuk has called GetLogicalDrives to emumerate all mounted drives, and GetDriveTypeW to determine the drive type.|
|Enterprise||T1562||0.001||Impair Defenses: Disable or Modify Tools|
|Enterprise||T1490||Inhibit System Recovery||Ryuk has used vssadmin Delete Shadows /all /quiet to to delete volume shadow copies and vssadmin resize shadowstorage to force deletion of shadow copies created by third-party applications.|
|Enterprise||T1036||0.005||Masquerading: Match Legitimate Name or Location|
|Enterprise||T1106||Native API||Ryuk has used multiple native APIs including ShellExecuteW to run executables,GetWindowsDirectoryW to create folders, and VirtualAlloc, WriteProcessMemory, and CreateRemoteThread for process injection.|
|Enterprise||T1057||Process Discovery||Ryuk has called CreateToolhelp32Snapshot to enumerate all running processes.|
|Enterprise||T1055||Process Injection||Ryuk has injected itself into remote processes to encrypt files using a combination of VirtualAlloc, WriteProcessMemory, and CreateRemoteThread.|
|Enterprise||T1489||Service Stop||Ryuk has called kill.bat for stopping services, disabling services and killing processes.|
|Enterprise||T1016||System Network Configuration Discovery||Ryuk has called GetIpNetTable in attempt to identify all mounted drives and hosts that have Address Resolution Protocol (ARP) entries.|
Network Security Best Practices
- Patch operating systems, software, and firmware as soon as manufacturers release updates.
- Check configurations for every operating system version for organization-owned assets to prevent issues from arising that local users are unable to fix due to having local administration disabled.
- Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.
- Use multi-factor authentication where possible.
- Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
- Implement application and remote access allow listing to only allow systems to execute programs known and permitted by the established security policy.
- Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
- Audit logs to ensure new accounts are legitimate.
- Scan for open or listening ports and mediate those that are not needed.
- Identify critical assets such as patient database servers, medical records, and teleheatlh and telework infrastructure; create backups of these systems and house the backups offline from the network.
- Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.
- Set antivirus and anti-malware solutions to automatically update; conduct regular scans.
Ransomware Best Practices
- Regularly back up data, air gap, and password protect backup copies offline.
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.
User Security Awareness Training Best Practices
- Focus on awareness and training. Because end users are targeted, make employees and stakeholders aware of the threats—such as ransomware and phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.
- Ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently.