Cisco Talos has become aware that an adversary is leveraging Trickbot banking trojan and Ryuk ransomware to target U.S. hospitals and healthcare providers at an increasing rate. Security journalists reported on October 28, 2020 that the adversary was preparing to encrypt systems at “potentially hundreds” of medical centers and hospitals, based on a tip from a researcher who had been monitoring communications for the threat actor. On October 28 and 29, these claims were supported by the reports of six U.S. hospitals being compromised with Ryuk in the span of 24 hours.
CISA, the FBI, and HHS also confirmed this activity targeting the Healthcare and Public Health Sector, releasing a joint advisory on October 28, 2020. The advisory stated that the Ryuk actors were using Trickbot to target the industry and that the activity posed an “increased and imminent” threat. They also published technical indicators for both Trickbot and Ryuk.
Talos has years of experience dealing with Trickbot, Ryuk, and other tools used by the adversary. We are currently supporting customers who are affected and working hand-in-hand with federal law enforcement to support their investigations. We are also supporting other law enforcement and federal agencies as well.
If you have a customer that has been impacted by an attack, ransomware or otherwise, the first course of action is to engage Cisco Talos Incident Response Services (CTIR). Please head to https://talosintelligence.com/IR and follow the instructions for contacting IR at the top right of the page.
Insights from Incident Response
Talos can also confirm that we have several active incident response engagements involving ransomware attacks against healthcare organizations. In the last 90 days, roughly 20 percent of incident response engagement this quarter that have involved threats affecting the healthcare sector. One engagement involving a U.S. medical center was targeted with Ryuk as well as the red-teaming tool Cobalt Strike (Cobalt Strike has been frequently used with Ryuk, see below for more details). We do note, however, that in another active incident response engagement with a U.S. medical center the ransomware is not Ryuk, and is currently assessed to be either Vatet or Defray. We have not yet identified the presence of Trickbot in either incident.
Since July 2020, CTIR identified at least two other engagements involving Vatet malware that have affected U.S. healthcare organizations. In one engagement, the adversaries added a “.exe” as a new service, and the malicious service was loaded into memory. The adversaries also obtained a domain administrator account with elevated privileges and performed credential-dumping activities. They then created a “.zip” file which contained the dumped password stores. Since at least April 2020, Vatet has been used to target the healthcare sector.
Talos has also been made aware of an attack against several healthcare organizations in which the chain of infection involved BazarLoader to a BazarBackdoor to Cobalt Strike, before dropping Ryuk. We note that we have observed this same chain of infection involving a US government agency in late October.
CTIR has been dealing with the Ryuk menace for months. Since 2019, Ryuk has dominated the threat landscape observed by CTIR, representing the majority of threats observed for several quarters in a row. This is in line with open-source reporting, which has shown that Ryuk actors have frequently targeted healthcare organizations since the start of the COVID-19 pandemic.
Ryuk ransomware has been active since 2018 and continues to pose a major threat to organizations. In earlier incarnations, it was typically dropped by commodity trojans, such as Trickbot or Emotet, using email as an initial vector. This changed earlier in the year, when Talos noticed that Ryuk shifted from using commodity trojans to relying on encoded PowerShell commands to download the initial payload, distributing batch files via GPO to hidden admin shares and leveraging PowerShell to disable security/AV tools and prevent backups. The infection chain involving BazarLoader and BazarBackdoor also appears to be a notable shift away from relying on Emotet as the initial infection vector. Talos has also observed the adversaries using a common network discovery PowerShell script (“Get-DataInfo.ps1”) to scan the entire network and provide an output of online vs. offline hosts. Talos also noticed a shift from the adversaries leveraging PSExec to deploy Ryuk to an increased use of WMI, BITSAdmin, and Cobalt Strike.
Currently, a typical infection chain looks like the following. Ryuk actors use phishing emails or other methods to infect victims. The emails typically contain a malicious link or executable that drops a malware downloader onto the machine, which then delivers a Cobalt Strike beacon and other malicious files that are used to establish a foothold. The adversaries steal credentials using common off-the-shelf tools such as Cobalt Strike, PowerShell Empire, and Mimikatz. Ryuk actors often use scheduled tasks and service creation to maintain persistence in the victim environment. In order to avoid detection, the adversaries use native tools, such as net view, net computers, and ping, to conduct network reconnaissance. Once dropped, the Ryuk ransomware prevents the victim from recovering encrypted files by deleting backups and shadow copies, among other things. In the actors’ final step, a “RyukReadMe” file is downloaded that includes information on the ransom amount and how to pay.
Cobalt Strike has been observed in a number of Ryuk engagements, as well as investigations involving other ransomware. CTIR noted that from June to September, over 66% of ransomware engagements involved Cobalt Strike. Cobalt Strike is a prolific toolkit that both security professionals and threat actors can pay for and is effective at post-intrusion exploitation, beaconing for command and control (C2s), stealth and reconnaissance.
Cobalt Strike is a modularized attack framework: each module fulfills a specific function and stands alone. It’s hard to detect because its components might be customized derivatives from another module, new, or completely absent. Listeners are at the core of Cobalt Strike. They allow adversaries to configure the C2 method used in an attack. Every attack or payload generated in Cobalt Strike requires the targeted user to select a Listener to embed within it. This will determine how an infected host will reach out to the C2 server to retrieve additional payloads and instructions.
Potentially the most powerful aspect of Cobalt Strike is the array of malleable C2 profiles, which allows users to configure how attacks are created, and obfuscate and manage the flow of execution at a very low level. Cobalt Strike delivers exploits and/or malicious payloads using an attacker-controlled web server.
Talos has released a detailed white paper on Cobalt Strike, including comprehensive coverage for detecting its execution and communications. More detailed information can be found here.
Although CTIR has observed fewer attacks in which commodity trojans were used as an initial vector, we note that Ryuk has a long history of being dropped by Trickbot. For example, in June, Trickbot was observed using a combination of PowerTrick and Cobalt Strike to deploy the Anchor backdoor and Ryuk ransomware. The next month, Trickbot was observed in tandem with Conti, a Ryuk successor.
Trickbot is one of the most widely used and actively developed banking trojans in the cybercrime scene today. In addition to functioning as a banking trojan, Trickbot is also used as a dropper for other malware, such as ransomware. Organizations or individuals infected with Trickbot could experience persistent infections, credential theft, account lockouts, email hijacking, and fraudulent bank account transfers and withdrawals.
Trickbot is primarily spread through spam emails that contain malicious URLs or weaponized attachments. Once downloaded, the malware connects to a command and control (C2) server to upload victim data and receive instructions for various follow-on activities. Trickbot spreads across a network by brute-forcing usernames and passwords, sending malspam that originate from the infected user’s account, and leveraging the EternalBlue exploit to attack unpatched systems.
The adversary is likely targeting healthcare entities for a number of reasons. Threat actors probably assess that patient surges resulting from the COVID-19 pandemic may make them more willing to pay, and these entities often have systems that are older or unpatched in the environment, making them easy targets. We urge all organizations to carefully monitor for signs of a Ryuk infection, especially pre-ransomware events such as deployment of credential stealing software, lateral movement, or any suspicious PowerShell activity. In addition there are several malware families that have been observed on infected systems leading up to a Ryuk infection. Therefore, we urge partners to monitor for the following:
- Cobalt Strike
Cisco Security Solutions
Cisco security solutions, both on prem and cloud, offer a number of mitigations against this threat.
Cisco Advanced Malware Protection:
AMP provides many layers of protections on the endpoint. It has multiple engines that detect and prevent initial infection, reconnaissance, lateral movement, and file encryption.
- Malicious Activity Protection (MAP) - defends your endpoints from ransomware attacks by identifying malicious actions of processes when they execute and stops them from encrypting your data.
- Recommended setting: Quarantine
- System Process Protection (SPP) - protects critical Windows system processes from being compromised through memory injection attacks by other processes. This reduces the likelihood of credentials being compromised for lateral movement.
- Recommended setting: Protect
- Script Protection - will block malicious script files from executing.
- Recommended setting: Quarantine
- Exploit Prevention - defends your endpoints from memory injection attacks commonly used by malware and other zero-day attacks on unpatched software vulnerabilities. This engine stops many instances of CobaltStrike, Emotet, and Trickbot.
- Recommended setting: Block
- Behavioral Protection - helps prevent malicious activity that matches a set of behavioral signatures by alerting on activity, quarantining files, and ending processes in Protect mode.
- Recommended setting: Protect
Cisco Email Security Appliance or Cloud Delivered
- Cloud URL Analysis (CUA) - Helps protect end users from emails containing malicious URLs. Ryuk leverages malicious URLs with image based attachments to bait the user into clicking the link and beginning the attack chain.
- Cisco Advanced Phishing Protection (APP) is a cloud service that identifies and stops deception-based attacks such as social engineering, impostors, and Business Email Compromise (BEC). A very common initial attack vector for Ryuk is phishing.
- Outbreak Filters (OF) - Additional layer of protection to quarantine threats while new intelligence is gathered. Key when patient zero of a campaign.
- Anti-Spam - The ESA’s anti-spam engine is extremely configurable, so it’s difficult to say exactly but there are a number of features from Ryuk’s most recent email campaign that the ESA is built to deal with out of the box.
- Sender Based Reputation Service (SBRS) - The first thing the ESA examines when a message comes in is the connecting IP address and its reputation. In the case of Ryuk, the most recent campaign came from a spoofed email address leveraging Sendgrid infrastructure. Despite being a prominent email service provider (ESP), they do not receive a free pass and are checked.
- Message Compliance - Ryuk, like many actors, takes advantage of spoofed domains in a number of their email campaigns. The ESA is configurable to enforce Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC).
Umbrella Security Settings (Categories to Block):
- Newly Seen Domains
- The Newly Seen Domains (NSD) security category works by checking our DNS logs to see lookups for domains that we have never seen lookups for in the past. We notice a lookup from a client—whether or not that domain actually resolves to an IP address—and record that lookup as 'newly seen' if it's new to our records of DNS lookups. In some cases where a domain doesn't actually resolve, the domain will be getting 'pinged' by malware but won't actually have any content hosted there just yet. This often happens when the malware 'cycles' through hard-coded hostnames trying to find a command and control host to connect back to. This security category helps identify domains that fit that description.
- Command and Control Callbacks
- Phishing Attacks
- Potentially Harmful Domains
Cisco NGFW: Firepower Threat Defense
- Talos has written numerous IPS rules to cover these kinds of attacks. See the “Detailed Talos Coverage” section below for details on the specific signatures.
- Cisco NGFW includes protections against file-based malware/ransomware, as well as next generation IPS functionality. It also provides full layer-7 firewalling that is user and application aware.
- Implements segmentation, which is an excellent defense against the propagation of malware.
- Dynamically quarantines hosts found to be infected using rapid threat containment with ISE, Tetration and other solutions.
Cisco Duo: Multi-Factor Authentication (MFA) and host based trust
- Duo provides zero-trust policies for the workforce
- Adversaries commonly use credential stealing in their attacks so it is important to implement multi-factor authentication mechanisms.
- Duo provides simple and easy to deploy multifactor authentication (MFA) to hundreds of applications including Microsoft AD and Office365.
- Duo is unique in that it can also provide posture assessments of the device the authentication is coming from to ensure it aligns with the host security policy.
Tetration is a Workload Security solution focused on hardening the systems that run applications - independent of workload type or where that workload lives. Tetration provides multiple layers of visibility and control to reduce the attack surface and prevent lateral movement. System hardening and segmentation is essential to limiting the damage caused by ransomware attacks such as Ryuk.
- Software-Defined Zero-Trust based Micro-Segmentation: Tetration's agent-based distributed firewall can quickly lock down high-risk ports such as those used for remote access or attached to vulnerable software. Allow-lists for remote access can easily be applied to prevent lateral movement even within a security zone, which can help prevent the ways Ryuk traverses a victim environment. More broadly, Tetration can isolate applications with sensitive data from those at higher risk of compromise without making network changes.
- Vulnerability and Attack Surface Detection: Open and unused ports create excessive risk. Tetration's identifies vulnerable software and analyzes that against application behavior and network behavior to determine which open ports expose the highest risk and which can be safely closed down without impacting the application. Ports can then be closed by Tetration's Distributed Firewall.
- Automatic Network Segmentation Policy Discovery: Tetration accelerates network segmentation by automatically discovering the zero trust least-privilege segmentation policy for workloads. These policy recommendations can then be implemented with the Tetration Distributed Firewall to restrict lateral movement, limiting the scope of a ransomware attack.
- Process Baselining: Tetration provides unique analysis for targeted at workloads and can alert when anomalous processes, commands, or shellcode is executed.
Detailed Talos Coverage
Coverage includes Snort rules and ClamAV signatures. These signatures and rules are present in Cisco’s security solutions, including the NGFW and AMP for Endpoints.
- 50644, 50645, 53332, 53333, 53335, 53336
- 43890, 43891, 44559, 44560, 47616, 47617, 48402, 51971, 52029, 53108, 53353, 53354, 55931, 56003, 143892, 49888, 49889, 53770, 53771, 54804, 54805, 54900, 54901, 54924, 54925, 55253, 55254, 55591, 55592, 55781, 55782, 55787, 55788, 55869, 55870, 55873, 55874, 55929, 55930, 56046, 56047, 51967, 51968, 51969, 51970, 53355, 53356, 53357, 53358, 53359, 53360
- 40643, 40644, 44399, 44400, 44401, 44402, 44403, 44404, 44405, 44406, 44407, 44408, 44409, 44410, 44411, 44412, 44413, 44414, 44415, 47618, 50712, 50713, 50714, 50715, 54014, 54061, 54062, 54063, 54064, 54065, 54066, 54067, 54068, 54069, 54070, 54071, 54072, 54073, 54074, 54075, 54076, 54077, 54078, 54079, 54080, 54199, 54200, 54201, 54202, 54203, 54204, 54205, 54206, 54207, 54208, 54209, 54210, 54211, 54212, 54213, 55002, 55003, 55004, 55005
- 38259, 38260, 38261, 44561, 44562, 44563, 44564, 45352, 52063, 52064
- 53656, 53657, 53658, 53659, 45907, 45908, 53972, 53973, 53974, 53975, 30229, 30471, 30480, 53757, 53758, 54095, 54096, 8068, 54110, 54111, 54112, 54113, 54114, 54115, 54116, 54117, 54169, 54170, 54171, 54172, 54173, 54174, 54175, 54183, 13913, 23878, 38038, 54180, 54181, 54182
CISA, FBI, and HHS provided mitigations in their joint advisory:
- Maintain business continuity plans to minimize service interruptions
- Patch operating systems, software, and firmware as soon as manufacturers release updates.
- Check configurations for every operating system version for HPH organization-owned assets to prevent issues from arising that local users are unable to fix due to having local administration disabled.
- Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.
- Use multi-factor authentication where possible.
- Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
- Implement application and remote access allow listing to only allow systems to execute programs known and permitted by the established security policy.
- Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
- Audit logs to ensure new accounts are legitimate.
- Scan for open or listening ports and mediate those that are not needed.
- Identify critical assets; create backups of these systems and house the backups offline from the network.
- Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.
- Set antivirus and anti-malware solutions to automatically update; conduct regular scans.In addition, Talos has previously written about best practices which can help defend or reduce the damage from ransomware attacks. This includes hardening the DMZ, providing comprehensive email security and phishing training, and network segmentation. Implementing a Zero Trust methodology by managing access for users, microservices, and devices can also hinder lateral movement which can increase the scope of a ransomware attack.
Note that security researchers compiled a repository of Ryuk IOCs, which can be found here.