Ryuk Ransomware Targeting Healthcare
As if the COVID-19 pandemic were not enough, the healthcare sector is now being actively targeted by threat actors using Ryuk ransomware. Yesterday, the FBI issued an
increased and imminent cyber threat warning
amid
growing reports of healthcare providers
falling victim to the campaign. The threat actors are using Trickbot (delivered via Emotet) to gain access to target systems and deploy Ryuk.
increased and imminent cyber threat warning
amid
growing reports of healthcare providers
falling victim to the campaign. The threat actors are using Trickbot (delivered via Emotet) to gain access to target systems and deploy Ryuk.
The attacks reinforce an ongoing trend of ransomware actors strategically targeting victims that have less tolerance for downtime and a high incentive to pay the ransom. Healthcare providers already under stress from the COVID-19 pandemic may be in a poor position to say no when confronted with a ransomware attack that significantly degrades their ability to provide patient care. In September, a patient with a life-threatening condition died after a
ransomware attack on a German hospital
forced her to be rerouted to a more distant facility.
ransomware attack on a German hospital
forced her to be rerouted to a more distant facility.
The campaign uses email lures to deploy Emotet as the initial stage. Once infected with Emotet, Trickbot is loaded onto the compromised system. The threat actors then use Trickbot to gain access to high value targets (such as domain controllers) and deploy Ryuk ransomware across the network.
The email lures often masquerade as corporate communications and link to a compromised site hosting Emotet. Many of the emails include recipient specific information such as name of employer in the subject line or email body.
Example email lure
It’s worth noting that this campaign impacting healthcare providers comes after recent efforts by
U.S. Cyber Command
,
Microsoft, and others
to disrupt the Trickbot botnet.
U.S. Cyber Command
,
Microsoft, and others
to disrupt the Trickbot botnet.
Recently-Observed Threat Indicators
For Emotet document/downloader URLs, we recommend the Cryptolaemus lists:
https://paste.cryptolaemus.com
https://paste.cryptolaemus.com
Emotet / Trickbot email lure subject lines:
9100091 Canada Inc. |
| {First Name} {Last Name} |
| {Company Name} SIGNS PAYMENT NOTIFICATION 10.14.2020 |
| {Last Name}, {First Name} Payment Summary – Ref Id: D504336 |
| RE: Title conditions |
| {Last Name}, {First Name} |
| my visit and call |
| RE: {Company Name} |
| upcoming commercials for approval- {Redacted} |
| RE: {Company Name} URGENT sept 19th if possible- please read email |
| Borrowing Base Certificate, A/R Aging, and Inventory listing from {Company Name}? |
| {Last Name}, {First Name} |
| Re: File # {Redacted}, Loan # {Redacted}, {Company Name}, {Address} |
| {Last Name}, {First Name} |
| {Last Name} {First Name} |
| {Last Name} and {Company Name} Back to Back 3-point games STAT |
| October Statement – {Company Name} |
| Payment Advice – ACH Transfer Notification – Ref:[Redacted] / ACH credits |
| Payroll – {Company Name} |
| Please approve – {Company Name} |
| Potential {First Name} {Last Name} Shutout STAT |
| Purchase Order – {Redacted} TSA from {Company Name} |
| RE: {First Name}, i’m waiting for a call |
| RE: {First Name}, office meeting |
| RE: {Last Name} |
| Re: Automatisch antwoord: {Redacted} {First Name} {Last Name} —- BWA 03-2019 |
| Re: {First Name} {Last Name} |
| RE: {Company Name} |
| RE: {Redacted} – {Company Name} du 30 mars au 2 avril 2020 |
| RE: {Company Name} termination list |
| RE: {Company Name} – Bonus |
| RE: {First Name}, your task list |
| RE: {Company Name} URGENT sept 19th if possible- please read email |
| RE: {Redacted} Card, Monthly Payments |
| RE: Purchasing Card documents |
| RE: {Company Name} – {Redacted} |
| RE: Re: Brick for {First Name} |
| RE: RE: Enrollment Form for New Employee |
| Re: RE: EXTERNAL: Delivery 11-07-19 |
| Re: RE: Loan Request |
| Re: RE: Local/Indy Radio Show |
| Re: RE: {Redacted} cARD |
| RE: RE: returned check NSF |
| RE: Report for {First Name} |
| RE: {Last Name} |
| RE: Securemail Payoff amounts needed |
| RE: {Company Name} Bank Employee Survey |
| revised commercial |
| {Company Name} Advisors Access Online |
| March Statement – {Company Name} |
| Please approve |
| {First Name} {Last Name} Online Payment – Ref Id: {Redacted} |
| RE: {First Name}, debit confirmation |
| Re: debit |
| RE: my call |
| Re: my visit and call |
Additional Resources:
Recent Articles By Author
*** This is a Security Bloggers Network syndicated blog from The PhishLabs Blog authored by Stacy Shelley. Read the original post at: https://info.phishlabs.com/blog/ryuk-ransomware-targeting-healthcare
