Posted on October 29, 2020 at 4:11 PM
A Russian cybercriminal gang known for ransomware deployment, planning to target hundreds of US clinics, hospitals, and medical care facilities.
The plan was to disrupt the Information Technology systems of these establishments. The US Department of Homeland Security and the FBI have hastily assembled a conference call today, speaking to the executives of the healthcare industry. In its conference call, these agencies warned of an imminent cybercrime threat, one targeting US-based healthcare providers and hospitals.
Massive Potential Threat
The agencies within the conference call, including that of the US Department Of Health and Human Services (HHS), cautioned these medical executives that credible information had been gained. This information warned of an imminent, increased cybercrime threat against all US health facilities.
The agencies stated that the motivation behind sharing this information, was in order to ensure that healthcare providers are capable of taking the reasonable and timely precautions needed in order to protect their respective networks from such threats.
Ryuk Gearing Up For Attack
The warning itself comes less than two days after KrebsOnSecurity received a tip from one Alex Holden, the founder of Hold Security, a Milwaukee-based cyber intelligence firm. Holden told Krebs that he had gained access to online communications this week.
In these communications, Cybercriminals affiliated with the Ryuk Russian-speaking ransomware group discussed plans to deploy ransomware across 400 US-based healthcare facilities.
One of the participants within the conference call stated today that agencies had offered very few solid details as to how healthcare organizations might better protect themselves against this potential Ryuk attack.
Failure To Provide Details
The participant highlighted how the agencies failed to share any form of indicators of compromise (IoCs), simply warning that they should patch their systems and keep an eye out for any suspicious activities. This could suggest that the agencies don’t quite know how the attack will be shaped, quite yet.
Others within the call highlighted how hospitals already infiltrated by Ryuk would have little need to pursue IoCs, to begin with. This is due to how the Ryuk malware infrastructure for each victim tends to be unique.
This can range from everything to a Microsoft Windows executable file that gets dropped on infected hosts to so-called “command and control servers,” to as far as transmitting data among and between various compromised systems.
Even so, Mandiant, the cybersecurity incident response firm, released a list of Internet addresses and domains today. These addresses and domains had been used by Ryuk in regard to previous attacks throughout 2020 to the present. For Mandiant, the group is referred to as actor classification “UNC1878” and had recently aired a webcast detailing the latest tactics displayed by Ryuk.
Big Players’ Opinions
Charles Carmakal stands as the Senior Vice President for Mandiant, going on record with Reuters to express how heartless, brazen, and disruptive the Ryuk threat actors are. Carmakal had observed these actors throughout his career, and highlighted that multiple hospitals had been severely impacted by Ryuk’s ransomware, with their networks going completely offline.
A health industry veteran, one who opted to stay anonymous, spoke to Krebs about the matter. According to this veteran, if such a large number of medical facilities are at risk, this means that this isn’t just one single hospital group being compromised.
Instead, the veteran suggested that an electronic health record provider, one integrating many care facilities, could be the weakest link in the matter.
Within the past few days, a handful of hospitals have been dealing with ransomware attacks. So far, however, there is no catastrophic attack involving hundreds of healthcare facilities.
With any luck, the needed steps can be taken to minimize the risks involved in the US healthcare system. Any organized hacking group is dangerous, but the scope warned by this attack is quite considerable.