Imminent Threat for US Hospitals and Clinics, RYUK RansomwareAlert (AA20-302A) – Updated 11/2/2020

Earlier this week rumblings were detected of a RYUK attack against US based hospitals and clinics. As the week has progressed, we have started to see this attack unfold.

On October 29, 2020 a confidential source on the attack described this as “Increased and Imminent Cybercrime Threat”.

What we know:

This appears to be an RYUK ransomware attack being delivered through phishing attacks. Raxis recommends that heightened vigilance be  applied across all attack vectors and instrumentation.

Who:

The attack appears to be targeted at U.S. based hospitals, clinics, and other health care facilities. All health care operations should be on heightened alert for anomalous behavior or other Indications of Compromise (IOCs).

When:

Imminent. As of the time of this writing several US hospitals are already under attack.

What to do:  
  • Immediately disseminate threat awareness notifications to all users and establish an update cadence to keep them aware of the threat as it continues to evolve.
  • Isolate critical systems where possible.
  • Review Incident Response (IR) plans and confirm accuracy of the plans to the extent possible.
  • Verify systems are patched and up to date.
  • Adjust instrumentation to detect known ransomware IOCs.
  • Use Multi-Factor Authentication (MFA) wherever possible. Consider temporarily enforcing MFA in instances where users have the option of bypassing it.
  • Enforce cybersecurity hygiene including: Audit user accounts with admin privileges and close all unnecessary ports.
  • Backup all critical data and verify restoration capabilities.
  • Verify endpoint protection measures are up to date and functioning properly.
Technical details of the attack:
  • The initial insertion point is through a phishing campaign.
  • Typically, RYUK has been deployed as a payload from Trojans such as Trickbot.
  • RYUK actors use common tools to steal credentials. These tools allow the actors to dump cleartext passwords as well as password hashes that can be brute forced offline.
  • Payloads may establish persistence based on DLL injection or other common techniques.
  • RYUK has been known to use scheduled tasks and service creation to maintain persistence.
  • RYUK actors will conduct network reconnaissance using native tools such as Windows Net commands, nslookup, and ping to locate mapped network shares, domain controllers, and Active Directory resources.
  • RYUK actors also use tools such as PowerShell, Windows Management Instrumentation (WMI), Windows Remote Management, and Remote Desktop Protocol (MS-RDP) for lateral movement through the network. IT personnel should be on alert for any suspicious traffic on the network.
  • RYUK uses AES-256 to encrypt files and an RSA public key to encrypt the AES key.
  • Actors will attempt to disable or remove security applications on victim systems that might prevent the ransomware from executing. Secondary monitoring on these processes may enhance detection fidelity.
Updates
November 2, 2020

New information has been released specifically around Indicators of Compromise (IOC). Latest information indicates threat actors are targeting the HPH Sector with TrickBot and BazarLoader malware. This malware often leads to ransomware, data theft, and disruption of services. These are often loaded through malicious links and/or attachments via phishing.

TrickBot IOC:
TrickBot often installs an achor toolset identified as anchor_dns that creates a backdoor for sending and receiving data from compromised machines using Domain Name Systems (DNS) tunneling. Anchor_dns uses a single-byte X0R cipher to encrypt communications which have been observed using key 0xB9. This decrypted traffic can be found in DNS request traffic.

TrickBot copies itself as an executable file with a 12-character randomly generated name and places this file in one of the following directories:

  • C:\Windows
  • C:\Windows\SysWOW64
  • C:\Users\[Username]\AppData\Roaming

Once the executable is running, it downloads hardware-specific modules from the Command and Control server (C2s). These files are placed in the infected host’s %APPDATA% or %PROGRAMDATA% directory.

The malware uses a scheduled task running every 15 minutes to maintain persistence with the host machine. Reports indicate the tasks typically use the following naming conventions:

[random_folder_name_in_%APPDATA%_excluding_Microsoft]
autoupdate#[5_random_numbers] 

After successful execution, anchor_dns deploys malicious batch scripts using PowerShell commands: 

cmd.exe /c timeout 3 && del C:\Users\[username]\[malware_sample]
cmd.exe /C PowerShell \"Start-Sleep 3; Remove-Item C:\Users\[username]\[malware_sample_location]\"

The following domains have been associated with anchor_dns:

  • Kostunivo.com
  • chishir.com    
  • mangoclone.com
  • onixcellent.com

This malware has been known to use the following legitimate domains to test internet connectivity:

  • Api.ipify.org
  • Checkip.amazonaws.com
  • Icanhazip.com
  • Ident.me
  • Ip.anysrc.net
  • Ipecho.net
  • Ipinfo.io
  • Myexternalip.com
  • Wtfismyip.com

There is also an open-source tracker for TrickBot C2 servers located at https://feodotracker.abuse.ch/browse/trickbot/

 Anchor_dns historically used the following C2 Servers:

  • 23.95.97.59
  • 51.254.25.115
  • 87.98.175.85
  • 91.217.137.37
  • 193.183.98.66

 BazarLoader/BazarBackdoor IOC:

Typically deployed through phishing and contain the following:

  • Typically deployed in a PDF attachment through an actor controlled online hosting solution
  • Often references a failure to create a preview of the document and contains a link to a URL that is hosting a malware payload
  • Emails are often routine in appearance and often employ a business pretext
  • Typical social engineering tactics are in use with email content 

The following filenames have been identified for installing BazarLoader:

  • Document_Print.exe
  • Report10-13.exe
  • Report-Review26-10.exe
  • Review_Report15-10.exe
  • Text_Report.exe 

Bazar activity can be detected by searching system startup folders and Userinit values under the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon registry key:

 %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\adobe.lnk 

The following C2 servers are known to be associated with this malicious activity:

  •  5.2.78.118
  • 31.131.21.184
  • 36.89.106.69
  • 36.91.87.227
  • 37.187.3.176
  • 45.148.10.92
  • 45.89.127.92
  • 46.28.64.8
  • 51.81.113.25
  • 62.108.35.103
  • 74.222.14.27
  • 86.104.194.30
  • 91.200.103.242
  • 96.9.73.73
  • 96.9.77.142
  • 103.76.169.213
  • 103.84.238.3
  • 104.161.32.111
  • 105.163.17.83
  • 107.172.140.171
  • 131.153.22.148
  • 170.238.117.187
  • 177.74.232.124
  • 185.117.73.163
  • 185.68.93.17
  • 185.90.61.62
  • 185.90.61.69
  • 195.123.240.219
  • 195.123.242.119
  • 195.123.242.120
  • 203.176.135.102
Raxis X logo as document separator
Smart phone with security alert