Cybersecurity Threat Advisory 0060-20: Universal Health Services Infected with Ryuk Ransomware
Earlier this week, Universal Health Services (UHS) suffered a ransomware attack that took down data networks at multiple facilities across the United States, wherein systems were crippled, antivirus software was maliciously disabled, many patients had to be relocated, and medical professionals were forced to operate by the way of pen and paper. UHS is a Fortune 500 hospital and healthcare services provider with facilities in the US and the UK, employs over 90,000 people, and provides healthcare services to roughly 3.5 million patients per year. Ransomware attacks on large organizations are on the rise and it is never too early to make sure your organization is best prepared against the likelihood of such attacks.
Technical detail and additional information
What is the threat?
The type of ransomware used in this attack, though it has not been officially confirmed, is suspected to be Ryuk, which first emerged in 2018 and was attributed to North Korean threat actors. A media source with information from a UHS employee purported that the files being renamed during the attack included the .ryk extension, which is the extension used by the Ryuk ransomware. Signs of Emotet and TrickBot Trojans were rumored to be found affecting UHS Inc. throughout the year, so the presence of Ryuk would not be surprising. The malware, in such a case, would all work in sequence assisting each other in ultimately allowing the Ryuk actors to gain access to a network, begin reconnaissance, gain admin privileges, and then deploy ransomware payloads on the network devices using PSExec and PowerShell Empire.
Why is this noteworthy?
Ransomware is a type of malware specifically designed to take over systems and encrypt system files and data, rendering them useless. A ransom demand is usually left in an obvious place on an infected system and will demand a specific amount of currency to decrypt the victim’s systems, files, and information so that it can resume business. Ransomware can be manually or remotely deployed by an attacker. Once an attacker has gained administrator-level privileges traversed through a network environment, they can manually run encryptors on targeted systems, deploy encryptors across the environment using Windows batch files, and deploy encryptors with existing software deployment tools utilized by the victim organization.
What is the exposure or risk?
Cybercriminals attacking organizations with ransomware are almost always operating with the motive of financial gain, as the name implies. Ransomware attacks can take some time and planning by the cyber criminals, who often work as groups and/or sharing information among themselves in order to facilitate an attack. Phishing emails is the main technique that an attacker will use to gain a point of entry into an organization’s environment, usually getting a user to click on an infected attachment or leading the user to a malicious website where a malicious file can be downloaded surreptitiously to infect an initial target system. Another method that attackers use to gain entry may be by gaining a user’s email credentials and then sending emails among the organization prompting them to open an attachment or click on a link.
What are the recommendations?
It is highly recommended that your organization maintain a healthy overall security posture by taking a layered security approach:
• Deploy advanced endpoint protection throughout your environment in order to prevent ransomware pre-execution, such as SKOUT Endpoint Protection.
• Regular scanning of externally facing systems for common ports and protocols.
• Vulnerability management, especially for systems that are external.
• Security awareness training focused on phishing campaign exercises.
• Email Protection as an added layer of security for your users’ inboxes.
• Multi-factor authentication (MFA) across the enterprise.
• Abide by the principle of least privilege and remove the capability for privileged accounts to be used for remote logon purposes.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.