The Ryuk Bitcoin Ransomware Attack
Ambulances have been diverted, surgeries have been delayed. The Ryuk Bitcoin ransomware is a nationwide attack wrecking havoc on US hospitals. Institutions in California, Oregon, and New York were all attacked in a single day. The Ryuk Bitcoin ransomware attack freezes hospital records and disrupts critical day-to-day emergency response procedures. The attack can encrypt data on any hard drive that it infiltrates. The Ryuk Bitcoin ransomware attack is responsible for 30 percent of global ransomware attacks this year.
The Ryuk Bitcoin Ransomware Attack, What We Know
A criminal organization called Wizard Spider, also known as UNC-1878, is likely behind most of the attacks, say authorities. Senior vice president of cyber response firm Mandiant, Charles Carmakal, states the group behind the Ryul Bitcoin ransomware attack is “one of the most brazen, heartless, and disruptive” groups he has seen all of his career.
Image by Bermix Studio
On Oct. 29, the FBI, Department of Homeland Security, and Department of Health and Human Services confirmed that the threat was an “imminent and credible” threat. They advised hospitals to take measures to secure their systems. The New York Times reported leaked communications from Wizard Spider, intercepted by Hold Security. “We expect panic,” said one hacker, commenting on the potential impact of the mass strike on U.S. hospitals during the ongoing healthcare crisis and presidential elections.
Photo by engin akyurt
How to Protect Against The Ryuk Bitcoin ransomware
On Wednesday, October 28, the FBI and the U.S. Department of Homeland Security had a conference call with industry executives within the healthcare arena. They warned the executives that an “imminent cybercrime threat to U.S. hospitals and healthcare providers.” The conference call was held as a way to warn healthcare providers so they could take immediate actions to defend against such attacks. However, according to a participant of the call, they gave very little in the way of how to protect themselves against this threat actor or purported malware campaign. However, here is a possible mitigation solution.
The big challenge in protecting against the threat for any particular hospital is not straight forward. Of course, patch, update, and backup are obvious measures to take. The problem is that the Ryuk group uses unique malware infrastructure when attacking each victim. Mandiant, a cybersecurity incident response team refers to the Ryuk group as “UNC1878.” Mandiant aired a webcast detailing detailing some of the recent methods of exploitation. They also released a list of domains and IP addresses used by Ryuk in earlier attacks.
NCSC security advisory on Ryuk Bitcoin ransomware
There is both good news and bad news coming from the Ryuk ransomware security advisory group. The bad news is:
- The Ryuk Bitcoin ransomware can hide — It can be days to months after the actual point of infection before it is observed by the IT team. This allows the bad actor the time necessary to conduct a reconnaissance mission of the network. During the mission they identify, and then target, critical systems. This helps to ensure greater impact from the attack.
And now for the good news:
- It’s possible to short circuit the attack — The threat can be mitigated if the infection is detected and remedied before Ryuk Bitcoin ransomware attack occurs. The key is to detect the malware before it distributes a trojan, and before the trojan deploys additional post-exploitation tools.
Possible way to detect and mitigate the Ryuk Bitcoin ransomware attack
CrowdStrike, a company that offers the Falcon platform, claims that their solution has the ability to detect and prevent Ryuk. The platform detects behavioral patterns related to the malware attack. CrowdStrike incorporates machine learning techniques to provide additional protection against the malware family. A free trial is available here.
Technical details and Indicators of Compromise (IOCs) are available for download and viewing in the NCSC Advisory, Ryuk ransomware targeting organisations globally. By the time the Ryuk Ransom Note is displayed it’s too late. Following is one version of the note:
Subsequent versions of the ransom note do not contain the BTC address. It just includes the email to get the BTC address from. The amount of BTC ransom amount varies significantly, apparently it is determined based on the value of the enterprise being infected. It has ranged in the past from the lowest being 1.7 BTC, and the highest being 99 BTC.
Featured Image by Michael Geiger