HHS HCCIC cybersecurity alert: New Ryuk ransomware quickly racking up damage
Since the first week of August, researchers have seen an uptick in a new ransomware strain similar to the notorious SamSam virus, warned the U.S. Department of Health and Human Services Healthcare Cybersecurity Communications and Integration Center in an alert.
Ryuk isn’t technically advanced, but the highly targeted, planned ransomware variant has several interesting features that ensures its victims are hit hard, according to research from Check Point.
For example, after a computer is encrypted, Ryuk will destroy its encryption key and launch a BAT file that will remove any shadow copies and backup files from the device. Officials said the virus is not like common ransomware distributed by massive spam campaigns and exploit kits.
Instead, Ryuk is exclusively used for tailored attacks, with an encryption scheme designed for small-scale operations. Even worse, officials said the hackers perform extensive network mapping, hacking and credential collection before every attack.
So far, Ryuk hackers have caused more than $640,000 in damage, according to Bleeping Computer’s Catalin Cimpanu. And Check Point found some hackers demanding ransoms as high as $320,000 (50 bitcoins).
“There is no doubt that the latest ransomware attacks seen over the past two weeks are by no means just a side-show but rather the main act,” Check Point researchers wrote. “Indeed, with ransom payment as high as those already paid, Ryuk is definitely getting hitting the right note among its audience, or rather its victims.”
HCCIC officials said the virus contains hybrid components of Bitpaymer and Hermes. Hermes has been linked to the North Korean hacking group Lazarus. North Korea, according to the Trump administration, was directly responsible for the May 2017 global WannaCry attack.
The group is known to focus on espionage, data theft and financial attacks.
Researchers are still determining how Ryuk spreads and infects its victims. But while they continue to analyze the virus, HCCIC officials recommend organizations firewall off SMB 445 for internal computers. If access is needed, it should only be granted to IPs with required access.
Next, organizations should implement application blacklisting to prevent use of vssadmin.exe, cmd.exe and powershell.exe, among others, officials said. File Integrity Monitoring should also be configured to monitor file creations in trusted locations, like the System32 directory.
“This can also be used to monitor deletes, with an alert configured to fire on excessive deletes in a row,” officials added. And Windows event logs should be monitored to detect any scheduled task creation events, while registry auditing should be enable to capture “any additions to HKLM\Software\Microsoft\Windows\CurrentVersion\Run.”
“Practice incident response scenarios which include complex attacks combining covert payment fraud and overt network disruption through ransomware, DDoS, network downtime, etc.,” they continued. “Ensure that you are progressing towards being able to attest against the SWIFT 27 controls.”
Healthcare Security Forum
The Boston forum to focus on business-critical information healthcare security pros need Oct. 15-16.