Recently, the FBI, HHS, and CISA jointly reported on an imminent threat to healthcare organizations surrounding the Ryuk variant of ransomware. The agencies claimed that attackers are planning on a more coordinated approach to impact the healthcare infrastructure. Similarly, GreyCastle Security has seen an increased number of this specific type of infection over the past month or two. We have been working closely with clients to identify and remediate related issues.
While the federal agencies specifically highlighted healthcare, this type of infection does not only target healthcare. All organizations that run on Windows systems are at risk. We have observed cases in nearly all industries.
The good news – organizations can actually proactively determine whether they are at greater risk for this specific type of infection, due to the underlying infections that will be present in an organization or institution that will result in the Ryuk variant of ransomware.
Read below for more information on the attack vector as well as detection, response, and best practices for prevention.
- Attackers will initially gain entry into a network via phishing. Specifically, attackers will send phishing emails via one of two methods:
- An encrypted ZIP. Specifically, the attacker will say in the email, "The password to the attachment is 1234" (or something similar).
- A macro-embedded Word Document. The Document will display an image or text saying, "This document is encrypted. Please enable macros to view the content" (or something similar).
- If the victim executes the attachments above, they will become infected with one of a couple of different infections, including Emotet, Ursnif, or just straight Cobalt Strike.
- Subsequently, attackers will begin laterally moving to systems in an attempt to propagate malicious software, typically banking trojans, to any accessible and Windows-based system. They perform this by harvesting the credentials of privileged users (e.g. domain administrators) or privilege abuse (e.g. all domain users are local administrators). In more rare cases, they will exploit vulnerabilities such as MS17-010 (EternalBlue).
- Between 2 hours and 2 years (this depends on different factors), attackers will deploy ransomware, typically in the form of the variant Ryuk. This time delay is how organizations can actually determine whether they may be at higher risk for this ransomware.
- Assuming an organization has not yet been impacted by this specific variant of ransomware, they can take steps to validate whether they may become impacted. Below is a list of "things to look for" on endpoints within their environment. This list is intentionally user-friendly for IT staff. No additional technology is needed to perform these tasks:
- Look for PowerShell execution. Specifically, the script may be a base64 encoded, and further, G-Zip compressed, and XOR encrypted. Identification of this can be manually completed by viewing the Windows PowerShell event log. This may also be installed as a service or Autorun. The names of this will be random (e.g. eFGKGIdsj84).
- Look for Scheduled Tasks which are unknown/not normal. For example, we have observed random characters, as well as random words (e.g. Save windows tool). They will point to the Windows or %appData% directory.
- Look for Autoruns. The key is HKEY_USERS\[SID]\Software\Microsoft\Windows\CurrentVersion\Run and RunOnce
- Aggregation of logs to a centralized system will make this detection process easier.
- There have been releases of IOCs (IPs, hashes, etc.). Although these can be useful, take these with a grain of salt. These underlying infections will continuously change IOCs.
- Ryuk ransomware typically has higher ransom demands ($500,000+). There is no free decryption method.
- Backups are key to restoring data.
- Don't assume that the incident is over once data is restored. An impacted organization will likely have an underlying infection that is still present.
Prevention Best Practices
- Patching/hardening systems
- Gain visibility into your endpoints
- Blocking foreign IP addresses (if possible)
Want more information? Email GreyCastle Security at email@example.com or give us a call at (518) 274-7233. If you believe you are experiencing a security incident, call our incident response hotline immediately: (800) 403-8350.