The Recent Threats from Ryuk Ransomware on the Healthcare Industry

“I recently heard that cyber criminals had planned a large-scale Ryuk ransomware attack on healthcare facilities. What does this mean and how do I keep my organization ahead of the curve?”

Over the past couple of weeks, there was a joint advisory alert by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) notifying security teams about a string of Conti, TrickBot, and BazarLoader and Ryuk ransomware attacks. Three days to prepare defenses, update toolsets, and be ready for constant monitoring against varied and sophisticated attacks during the weekend.  Usually, threat actors target off times and the weekends in hopes of catching businesses while they are sleeping.  Ensure your company has implemented sophisticated cybersecurity technologies and 24/7 monitoring, which will be crucial in defending against these types of ever-changing attacks.

Threat actors are continuing to become more sophisticated in their attacks and many of these threat actors run their operations just like a business. When they have a successful month ransoming hospitals or other industries, they reinvest capital back into the development of their toolset to continue making it harder to detect, and easier to spread. Many threat actors favor one industry over another based on common technologies deployed across the industry, as well as the potential profitability of ransomware in one industry versus the next. Threat actors’ rise in sophistication means a constant eye must be kept on the latest vulnerability, the dark web chatter, and constantly updating the endpoint detection tools that alert and stop their new attack techniques at a moment’s notice.

As threat actors become more sophisticated, companies must meet this level of sophistication internally. When an organization is under attack, the steps taken are critical.  One way to stay ahead of the curve is partnering with a professional cybersecurity firm that is supported by a 24/7 Security Operations Center (SOC). Their SOC must have highly certified cybersecurity talent that constantly Threat Hunts for these threat actors and always watches for new emerging threats and data published on threat actors’ dark web blogs. Cybersecurity engineers should also have direct communication with the FBI or U.S. Secret Services (USSS), to include varied reliable open-source data points for staying up to date with any emerging cybersecurity situations.

These established relationships with the FBI, Secret Service, and other security reporting lines are significant because the collaboration between industry practitioners and the federal government will enhance the overall security posture. Industry notifications can help save an organization from catastrophic business disruption, negative brand reputation, as well as significant loss of revenue from the attack.

Many times, organizations think being attacked once means they will no longer be a target. This is false. Organizations are actually at a much higher risk, statistically, of getting attacked again when a ransomware attack already occurred, especially if the ransom was paid. Threat actors constantly look for other avenues to attack the same organization and many times leave the original malware within the environment to assist in a future attack, such as Dridex, Emotet, and Trickbot variants. This is a repeated pattern and trend for well-known threat actors. They do this for various reasons. Sometimes it is to prove a point when the ransoms are not paid, and they will return with devastating results and more destructive techniques. This highlights the necessity to conduct a thorough investigation after these incidents, rather than simply “recover” from backups that are still infected with the original malware.

When dealing with these constantly growing and changing threats, new vulnerabilities announced daily, and adversaries constantly advancing their technology and processes, it is vital to implement a strong defensive strategy. It doesn’t stop there though, you must test the plan and re-evaluate the numerous lessons learned from these tabletop exercises. Being able to quickly make this information actionable and quickly implement it within your Incident Response Plan is where you get all of the value. As threat actors get better, we have no choice but to outmaneuver our adversaries and get better ourselves.