The Return of Ryuk Ransomware

After a long respite, Ryuk is back with its new strategies and tools. First spotted in August 2018, the Ryuk gang gained infamy in 2019. They demanded multi-million dollars ransoms from hospitals, local governments and companies. Based on the investigation done by Federal Bureau of investigation the ransomware pulled over $6 million just in the United States. There was a conjecture that the Ryuk actors had moved on to a re-branded version of the ransomware, termed as “Conti”. Ryuk was back with some trivial modifications, but also demonstrated an evolution of the tools used to confront targeted networks and deploy the ransomware.

The attack was also remarkable because of its rapid movement from initial compromise to ransomware deployment. Within a span of three and a half hours of a victim opening a phishing email attachment, invaders were already conducting network exploration. In a day’s time they had gained access to a domain controller, and were in the early phase of attempting to deploy the ransomware.

The invaders were consistent as well. When the launch attempts failed, the Ryuk actors made multiple attempts to install new ransomware and malware, which included renewed phishing attempts to re-establish a foothold. Before the conclusion of the attack, over 90 servers and other systems were already a part of the attack, though the ransomware was blocked from full execution.

Ryuk Ransomware—Healthcare’s Biggest Instigator 

Healthcare organizations have been gallantly fighting to save lives since the COVID-19 pandemic began, but they also had to shift their focus to another type of virus attack. From March 2020, healthcare organizations in the United States were hit with multiple cyber attacks from threat actors who planned to make the most of any vulnerability in these systems. The hottest to join the ranks of healthcare network threats is Ryuk, a ransomware that has maltreated various medical organizations since September 2020.

What is Ryuk Ransomware?

Similar to most ransomware attacks, Ryuk penetrates networks and encrypts critical files while the cyber criminals behind the deployment demand payoff from the host in trade for a decryption key. Ryuk was first exposed in 2018 and ever since it has been successfully demanding payoffs to the tune of millions from various hospitals, local governments and private enterprises. It is chiefly believed that Ryuk is based on an older ransomware program termed as “Hermes” and is driven by a Russian speaking cyber criminal group.

How does Ryuk attack Healthcare organizations?

Various threat detecting agencies have identified that like most ransomware, Ryuk also uses phishing emails to gain entry to the networks. The emails are spoofed which makes the recipient believe it is from a trusted source. Once the email attachment is opened either a Trickbot or a Trojan is introduced into the host system. From here, the virus gathers admin credentials, allowing invaders to move across the network to find vital assets. Once the attackers gain access to the high-valued assets in the network, Ryuk is executed to encrypt the critical assets and then a ransom payment demand in Bitcoin is made.

How can we prevent Ryuk Ransomware Attacks?

With the increase in cyber attacks on healthcare organizations and hospitals during the COVID-19 pandemic, it is extremely crucial to take proactive security measures to prevent major disruptions that can put patients’ lives on stake.

The following steps can help prevent the spreading of the ransomware if they are a victim of it:

1. Implementing Cyber Hygiene
2. Introducing Endpoint Protection
3. Micro Segmentation
4. Zero Trust Security

1. Implementing Cyber Hygiene:

Cyber criminals are very well aware that people are the weakest link in the security chain, hence phishing emails are the most preferred mode of entry into a secured system. The most basic step is to educate medical staff to identify suspicious emails and tell them to not click emails or attachment from unknown sources. This can help organizations from being hacked.

2. Introducing Endpoint Protection:

Though installing basic antivirus is a bare-minimum security measure, it cannot stop complicated malwares from exploiting system vulnerabilities. It is extremely crucial to lockdown endpoints by using configurable security rules by forcing blacklisting and whitelisting. This will help ensure the execution of only deemed safe files and applications. Rest all applications that are suspicious or unknown are thus prevented from executing which includes ransomware, zero-day attacks and malware.

3. Micro Segmentation

These ransomware attacks are only triggered when the cyber criminals gain access to high-value healthcare assets like Protected Health Information (PHI).In order to achieve this they move across the network, exploring for firewall vulnerabilities and open ports. If Micro – segmentation is implemented hospitals can segment and isolate vital assets and applications. After the segments are defined, granular access controls can be used to grant only authorized users to access their applications. With Micro-segmentation one can avoid both unauthorized access and lateral movement from compromised systems.

4. Zero Trust Security

This cyber security approach uses the least privilege principle. Zero Trust security uses preset trust parameters to ensure high level security. Any application, user or device is verified based on these preset parameters to gain access. If the requester fails to go through any of these parameters, access is denied and the request is deemed unauthorized or suspicious. Zero Trust security can help identify cyber criminals at an early stage.

As the world fights against a unique health crisis, the medical sector is playing the biggest role on the front lines of this pandemic. There have been ruthless criminals who are taking advantage of the vulnerable health facilities. But if medical organizations invest in easy to deploy security solutions, they can continue to focus on their main goal: save lives.