FBI

FBI warns of Ryuk ransomware attack on hospitals, healthcare providers this weekend

Oct 30, 2020

Multiple federal agencies issued a public cybersecurity advisory yesterday about an imminent ransomware attack against the healthcare and public health sector this weekend. The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) have credible information suggesting an Eastern European threat group plans to launch a widespread Ryuk ransomware attack.

CISA, the FBI, and HHS have issued a joint cybersecurity advisorydescribing the tactics, techniques, and procedures (TTPs) used by cybercriminals to infect systems with Ryuk ransomware. Ryuk is typically activated after a precursor form of malware (like Trickbot) is on a computer system, and that malware drops in the encryption malware. Mandiant Threat Intelligence has posted an excellent article describing the precursor email campaigns that lead to post-compromise deployment of ransomware and has posted IOCs associated with the threat actors believed to be responsible for this current threat. 

CISA, the FBI, and HHS have recommended that hospitals and healthcare systems implement the following measures as soon as possible:

  • Establish and practice out of band, non VoIP, communications
  • Rehearse IT lockdown protocol and process, including practicing backups 
  • Ensure backup of medical records, including electronic records, and have a 321-backup strategy – have hard copy or remote backup or both 
  • Expedite patching response plan within 24 hours
  • Prepare to maintain continuity of operations if attacked 
  • Review plans within the next 24 hours should you be hit 
  • Check that your anti-virus and endpoint detection and response (EDR) are running; a stopped state may indicate compromise
  • Power down IT where not used 
  • Consider limiting use of personal email 
  • Be prepared to reroute patients 
  • Ensure proper staffing for continuity 
  • Know how to contact federal authorities when phones are down, or email has been wiped 
  • Consider limiting/powering down non-essential internet facing IT services 
  • Limit personal email services 
  • Be prepared to re-route patients if patient care is disrupted due to IT outage 
  • Ensure sufficient staffing to maintain continuity of operations with disrupted IT networks 
  • Report all potentially related cyber incidents to the FBI 24/7 CyberWatch Command Center at 855-292-3937 
The full Cybersecurity Advisory provides technical details, indicators of compromise (IOCs) for Trickbot, Ryuk attack techniques under the MITRE ATT&CK framework, and significantly more detail about mitigation.