Responding to Ryuk: Healthcare and the Ransomware Threat
Through the second half of 2020, multiple health and hospital systems fell victim to Ryuk ransomware attacks. Affected hospitals were forced to switch to paper records because they lost access to any electronic records that were not securely backed up. When patient data is compromised, so is patient care. Attackers know this; they understand both the sensitivity of the information that healthcare providers keep as well as the critical, time-sensitive nature of patient care. That makes them a high-value target for ransomware attackers and makes it crucial that hospitals act now to harden themselves against the threat.
What is Ryuk ransomware?
Ryuk is a strain of ransomware first discovered in August of 2018 that is used in targeted attacks against businesses, hospitals, and government institutions. A recent report estimated that Ryuk is responsible for a third of the ransomware activity in Q3 2020, indicating a massive spike in attacks from just the year before. Even after a takedown of a Trickbot botnet in October, Ryuk is as prevalent as ever. It has shifted to using malicious Google documents to spread instead of leaning so heavily on Trickbot. Later in October, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) issued a joint report, discussing the threat that ransomware poses to the healthcare sector, and the report was updated in November to note that some healthcare providers have gone from initial compromise to active ransomware in just a few hours.
A Ryuk attack is a thorough, multi-faceted one. A user downloads malware, most commonly by clicking on a link in a malicious Google document. The link purports to enable content on the document but instead downloads a dropper that downloads and executes the malware on the machine. With that foothold, Ryuk will immediately establish persistence by creating a new autorun registry key and attempt to disable local defenses. The malware will proceed to elevate privileges and use process injection to evade detection. At this point, the malware will identify personal files on the infected machine and begin to encrypt them. As the encryption continues, the malware hunts through the network looking for exposed file shares to attack.
In a Ryuk ransomware attack, both the lives and the personal information of patients are at risk. The good news is, healthcare organizations can take steps to safeguard themselves.
The importance of adversarial simulation for healthcare cybersecurity
When trying to safeguard a healthcare business against the threat of Ryuk ransomware, knowledge is power. Knowing that your security controls are working, knowing that you can detect anomalous activity, and knowing how vulnerable your business is to attack are all crucial questions. Adversarial simulation can help shed light on all of these things.
Ryuk’s first foothold in a network comes when a pretext, such as a phishing email, leads an employee to view a malicious document and download malware. To combat that threat, you need employee security training, but you also need security testing that identifies your staff’s level of awareness and the ways in which you can focus your training to have the most impact. Adversarial simulation can test security on the human level. In an adversarial simulation, social engineering steps like a controlled phishing attack can give you an idea of how likely employees are to fall for a suspicious email and thus download Ryuk ransomware onto the network. Knowing that you can make informed decisions about how best to focus user awareness efforts.
Behind the front lines, a well-trained internal security team often makes the difference between a business that can effectively repel or respond to a malware attack and one who cannot.
Since Ryuk can go from initial compromise to ransomed data in a matter of days or even hours, detection time is of the essence. Knowing that your detection is working as intended can help you if an employee does fall for a lure. It is critical to identify and remove the malware from your network before the attackers can steal sensitive information and encrypt systems with Ryuk. In a purple team engagement with Security Compass, our experts will work with your security team to educate them on Ryuk’s tactics, techniques, and procedures, and see whether the controls in place can detect or prevent those attacks. Thus, your business will have actionable knowledge about how to detect Ryuk activity and what may need to be put in place to strengthen those logging, detection, and prevention capabilities.
Given the possibility of the worst-case scenario, it is also crucial to test your business’s incident response. In the worst-case scenario of Ryuk ransomware spreading on the network and restricting access to live copies of sensitive patient information, do you know your backups are updated as frequently as they need to be, and that you can quickly access them? Especially when lives are on the line, a healthcare provider cannot leave it to assumptions that backup procedures will work.
Learn more about protecting your healthcare business
Security Compass’s industry-leading team of security experts have the experience and expertise to help you protect your healthcare business. Our adversarial simulation, as well as our detailed and professionally designed reporting, will help you understand your security posture, know the true strength of your defenses, and empower you to make the right decisions to lower your risk of Ryuk ransomware. Learn more about Security Compass’s adversarial simulation services, and contact us if you have any questions or would like to discuss your needs in detail.