A Russian-speaking ransomware group has begun targeting hospitals in the United States, according to a joint statement by three federal agencies. The statement says that Trickbot malware with a Ryuk ransomware payload locks up machines until the hospitals pay a ransom exceeding $1 million.
The three agencies are the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation and the Department of Health and Human Services. According to the statement, the attacks started on October 26, 2020.
“CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers,” the statement says. “CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.”
The malware attacks also include data theft and the disruption of healthcare services, and appear to be timed to take advantage of the disruptions caused by the Covid-19 pandemic. The malware is launched when employees click on an infected link. Those links appear in documents that appear to be internal communications and contain attachments from Google Docs or PDF files.
“The ominous alert of impending destructive cyberattacks against hospitals is a credible threat should be taken seriously,” said Tom Kellermann, head of cybersecurity strategy at VMware Carbon Black. “The Russian cybercrime cartel who developed and distributed Trickbot and Ryuk, appear to be retaliating against the recent NSA and Microsoft take down of portions of their e-crime infrastructure. This is cyber payback and could mean a matter of life or death amid the pandemic if critical hospital systems are disrupted or destroyed interrupting patient care.”
Generally, ransomware attackers appear to avoid actions that lead to a potential loss of life, but in this case it appears that such risk is intentional. Apparently, the idea is that such a threat will lead to bigger payouts that happen more quickly. However, one death in Germany has already been attributed to such an attack.
What you can do now
While there are several steps that hospitals and other organizations can do in the long term to protect against malware attacks, there are a few actions that they can take now.
· Instruct everyone on your email system not to click on any link, no matter how innocent it may look. This goes beyond the usual cautioning about suspicious links because the malware is being distributed in ways that don’t appear suspicious. These phishing attacks may appear in text messages or video conferences in addition to email.
· Make sure all systems are up to date and have current patches.
· Scan your backups for latent malware. One favorite method of attack is to set the malware so that it waits for a period of time to make sure it’s backed up before it executes.
· Where possible, change your network security settings to filter out active links in emails and to strip attachments from emails.
· Where possible, disconnect critical systems from the organization’s network. The air gap approach doesn’t always work, but it can slow the spread of malware. This is especially critical for older equipment that may have vulnerabilities that can’t be patched.
Longer term fixes
Some approaches that will help battle malware and ransomware in the future should also be implemented, even though they can’t be done immediately.
· Implement a rapid response plan and train a rapid response team to deal with ransomware when it does appear.
· Use micro-segmentation and zero-trust concepts to help prevent malware from spreading.
· Implement multi-factor authentication to protect against credential theft and malware entry into your network.
· Implement a continuity of operations plan, including off-site storage and remote storage of backup data
· Develop an IT lockdown plan, then rehearse it frequently
While none of these steps can prevent a ransomware attack, they can minimize the damage and speed recovery. In addition, it’s critical that you rehearse these steps along with your other business continuity and recovery steps. It is possible to recover from such an attack quickly, but only if you’re prepared.