- Ryuk ransomware – which pummeled the healthcare sector in the fall – has added Emotet and Trickbot trojans to its attack method, to gain access into a network, according to new research from FireEye and CrowdStrike.
The Department of Health and Human Services alerted the healthcare sector to Ryuk’s target campaign in September, for its similarity to the SamSam ransomware cyberattacks that were also extensively targeting the sector.
The initial Ryuk attacks were discovered in the wild in August 2018. Its hackers would find targets by scanning for open Remote Desktop Service ports or other security gaps, like stolen credentials, to gain access into a network. The hackers would then target servers and high-profile data to extort a ransom from its victims.
At the time, HHS officials warned healthcare was a prime target given its sensitive data, excessive patching issues, and the need to have access to patient data at all times.
But now Ryuk hackers have upped the ante with the addition of new trojans to gain access into an infected network. After the bots infect the network, the virus creates reverse shells back to the threat actor to manually infiltrate the entire network and install Ryuk.
Typically, the ransomware is delivered as the final stage of the infection chain that begins with Emotet and turns to TrickBot as its secondary payload, according to CrowdStrike. However, FireEye noticed the virus can also be delivered using just a TrickBot infection.
Dubbed Temp.MixMaster by FireEye, its researchers believe the TrickBot hackers are renting the service to other cybercriminals who use the TrickBot trojan.
“Following indiscriminate campaigns, threat actors can profile victims to identify systems and users of interest and subsequently determine potential monetization strategies to maximize their revenue,” FireEye researchers wrote.
“Various malware families have incorporated capabilities that can aid in the discovery of high-value targets underscoring the necessity for organizations to prioritize proper remediation of all threats, not only those that initially appear to be targeted,” they added.
Ryuk is specifically used to target enterprise organizations and since August, its hackers have racked up more than 706 bitcoin payments, across 52 transactions – or about $3.7 million, according to CrowdStrike researchers.
While originally attributed to North Korea, researchers now believe the hackers are from Russia after Ryuk disrupted operations at several newspapers like the LA Times and Wall Street Journal in late December 2018.
Both research teams confirmed these attacks are launched through phishing emails, one of healthcare’s greatest pain points. In December alone, at least six health providers reported breaches caused by phishing attacks, including Cancer Treatment Centers of America, Managed Health Services’ business associate, and Kent County Community Mental Health Authority.