Ryuk Ransomware and Healthcare: What You Need to Know

What Is Ryuk?

Ryuk is a relatively new strain of ransomware that was first seen in August 2018. It’s mainly used in targeted ransomware attacks against vulnerable organizations – like hospitals, that can’t afford any system downtime – to create maximum disruption and increase the likelihood of a ransom payout. Ryuk attacks are often extremely coordinated and involve a high degree of internal reconnaissance. They typically utilize malware droppers like TrickBot or Emotet to quickly spread throughout a network. This allows Ryuk operators to map out a network, identify and infect high-value targets, and then drop the ransomware onto target systems.

Ryuk impacts aren’t limited to file encryption. Recently, cybersecurity researchers have seen a trend in which sensitive data is exfiltrated and additional systems are compromised before Ryuk is deployed, leading to complicated and expensive remediation efforts. If Ryuk and dropper malware is not 100% removed from a network after an attack, ransomware operators can reactivate the malware and re-encrypt machines during or after remediation operations. Ransomware attacks can take weeks and even months to fully resolve. Ryuk specifically targets critical infrastructure that cannot tolerate extended downtime.

How Has Ryuk Impacted Healthcare?

Ryuk operators target healthcare organizations for several reasons. Healthcare environments often contain many legacy machines that run critical services and technology (i.e., patient scheduling systems, aged diagnostic devices, etc.). The legacy systems can be easily compromised and utilized to spread the malware throughout the network. System downtime could lead to degradation of patient care and even deaths, allowing Ryuk operators to charge higher ransoms and increasing the chance of actual payment.

On October 28, 2020, a CISA alert was issued, warning of imminent and credible threats of Ryuk ransomware attacks against healthcare targets. Immediately following the alert, dozens of hospitals and healthcare organizations across the U.S. suffered from Ryuk ransomware attacks. As the U.S. continues to fight the global COVID-19 pandemic, healthcare organizations must be ready to defend against such attacks.

Methods to Protect Healthcare Infrastructure From Ryuk Attacks

Ryuk has several different attack vectors due to the different dropping techniques used. Still, there are effective mitigation strategies that can be used to reduce the chances of a successful Ryuk attack, and reduce the scope and downtime created.

Secure RDP Services

Compromise of Remote Desktop Protocol (RDP) services is one of the most common attack vectors used in a Ryuk ransomware attack. Attackers will brute force RDP sessions or obtain credentials through phishing and credential dumps. The compromised RDP services are used to drop Ryuk onto systems. To mitigate this threat, RDP should be disabled on all machines that do not need the service running. This minimizes the attack surface that is exposed and can decrease the scope of a potential Ryuk attack. If RDP is necessary on a system, utilize multifactor authentication to prevent attackers from using compromised RDP credentials and significantly reduce the effectiveness of brute force attacks.

Mitigate Phishing Attacks

Ransomware campaigns using Ryuk often start with a phishing attack, giving the attackers an initial entry point into a healthcare organization. Ensure that all employees are trained to identify phishing emails and set policies that disable macro-enabled documents and other executables. Do not leave upper-level employees and executives out of training, as phishing attacks sometimes target senior management due to their common lack of cybersecurity awareness training. Employ email filtering to stop phishing attempts before they reach employees.

Maintain Secure Off-Site Backups

If a Ryuk attack is successful, having secure off-site backups can be the difference between a quick recovery with no data loss and having to rebuild the entire environment from scratch. Ryuk operators use TrickBot to identify on-site backups and use Ryuk to encrypt them along with other systems, so having on-site backups is not sufficient data protection. Regularly test backups to ensure that they are both completing and have the ability to quickly restore from remote backups in the event of a Ryuk attack. Off-site backups can also be used to recover data in the event of a disaster, potentially saving your organization millions of dollars.

Conclusion

Ryuk is extremely dangerous ransomware used by sophisticated threat actors and can take healthcare organizations out of action for weeks or even months. Proper mitigation techniques should be used to prevent Ryuk attacks from impacting healthcare infrastructure. NuHarbor Security offers a wide range of security solutions that can help you protect against ransomware attacks, from gap and risk assessments, to 24×7 security monitoring. If you’re interested in learning more, or simply want to chat with an expert, contact us today!