Yesterday, the Joint Cybersecurity Advisory, comprised of the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS), published a critical alert of verified and widespread attacks targeting Healthcare and Public Health Sector organizations. Widespread activity has been detected for Trickbot, first seen in 2016, in a more evolved, stealthy, and lethal version, often delivering payloads such as Ryuk ransomware. Reported malicious activities may include disruption of patient services and operations, data theft, and potential publication of PHI data if ransom demands are not met. This attack is reported as targeting health systems, hospitals, doctors’ offices, laboratories, health technology vendors, mental health care providers and facilities, and public health agencies.
According to SentinelLABS’ report on the matter, “In the last three months, there has been a 50% uptick in ransomware, with the Ryuk ransomware garnering the most attention after a string of high-profile attacks that have been crippling companies. Last month it was reported that Ryuk hit [Universal Health Services] (UHS) hospital networks with force, spreading across UHS healthcare facilities in the US from coast to coast. This well-orchestrated attack left many hospital workers without access to labs, radiology, and patient records, which led to workers having to resort to pen and paper to triage patients. Ryuk is currently attacking approximately 20 organizations a week, and this number will only expand due to its successes.”
As part of TRUE’s ongoing focus on supporting the healthcare industry with cybersecurity, cyber compliance, and critical asset management, our teams of experts have been working to lend a hand. Not only have our specialists been urgently alerting clients to this imminent threat, but also ensuring our healthcare clients are aptly supported with specific steps and guidance in identifying and combatting any signs of this attack. The TRUE Security Operations Center, which maintains threat feeds from numerous sources (government, private, and proprietary), became aware of the attacks ahead of yesterday’s publicly released statements. Due to our SOC’s levels of intelligence clearance, we actively uncover and hunt for threats in client environments before those attacks are able to be made public. Since the discovery of an uptick in targeted attacks, TRUE’s security analysts have been proactively threat hunting throughout the environments of our TrueSIEM and TrueMDR clients, looking for signs of compromise and performing forensic investigations, mitigation strategies, and remediation activities to prevent those organizations from experiencing a breach or interruption of services.
TRUE experts have also made themselves available in a more public way, to support all of you who would like more education and guidance in identifying and mitigating these risks. To that end, next week, a panel comprised of TRUE experts from our Critical Asset Management, Security Operations Center/Incident Response, and Cyber Compliance teams are offering a Trickbot and Ryuk-focused discussion, open to the public, with time for Q & A. You can register right away for the panel event, “US-CERT Urgent Threat Alert Response: Uncovering and Mitigating Signs of Trickbot and Ryuk Attacks in Your Environment”
Topics covered will include–
- Key threat vectors in this particular Trickbot & Ryuk attack
- Ways to identify signs of compromise (detection and mitigation)
- HIPAA notification requirements
- Recovery steps to take if you uncover infection
- Processes and controls you can put in-place to be prepared for attacks like these going forward
In the meantime, if you are concerned that you may be on a potential target list, you can refer to the detailed public US-CERT alert for specific technical indicators of compromise, as well as an extremely helpful compilation of resources, like Ransomware Mitigation and Network Hardening Best Practices, a Ransomware Response Checklist, and what kinds of information you might be able to provide back to CISA, HHS/HC3 or federal law enforcement. Additionally, if you uncover signs of attack and want to dig into very technical aspects of what you may be dealing with in a potential Ryuk infection, you may want to refer to this research note from Marco Figueroa, a Principal Threat Researcher at SentinelOne. Our Incident Response team is available to answer questions and assist with assessing or responding to a potential incident.
While their service capabilities go well beyond malware mitigation, TrueMDR and TrueSIEM offerings are both designed specifically to catch and provide expert response to attacks such as these. There are few better ways to strengthen your organization’s posture than with mature defense, monitoring, and response capabilities. If you would like to speak with someone right away about active monitoring and protection for your network, please reach out to us at firstname.lastname@example.org.
Register for the webinar: