Full Report
In the past month, 10 more hospitals have fallen victim to Ryuk attacks in the US
Analysis Summary
# Incident Report: Ryuk Ransomware Campaign Against US Healthcare Facilities
## Executive Summary
Over the past month, a coordinated series of Ryuk ransomware attacks has targeted at least 10 hospitals across the United States. Despite the global health crisis, the threat actors prioritized medical facilities to maximize pressure for ransom payments, resulting in significant operational disruptions and compromised patient data systems.
## Incident Details
- **Discovery Date:** Late March 2020
- **Incident Date:** March 2020 - April 2020
- **Affected Organization:** 10+ Hospitals (Names withheld in primary summary)
- **Sector:** Healthcare
- **Geography:** United States
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing throughout March 2020
- **Vector:** Phishing and secondary infection (TrickBot/Emotet)
- **Details:** Access was primarily gained via malicious emails harboring TrickBot or Emotet downloaders, which acted as the staging ground for Ryuk.
### Lateral Movement
- Attackers utilized tools such as PowerShell, Cobalt Strike, and WMI to navigate the local networks.
- They moved from initial workstations to Domain Controllers to gain full environment control.
### Data Exfiltration/Impact
- Critical patient records, administrative databases, and backup systems were encrypted.
- In several cases, sensitive data was staged for exfiltration to pressure victims into paying under threat of public release.
### Detection & Response
- **Detection:** Discovered when staff were locked out of Electronic Health Record (EHR) systems and ransom notes appeared on terminals.
- **Response actions taken:** Immediate isolation of infected segments; engagement of third-party incident response teams; transition to manual/paper-based medical charting.
## Attack Methodology
- **Initial Access:** Phishing campaigns delivering Emotet/TrickBot.
- **Persistence:** Scheduled tasks and registry run keys created by the secondary payloads.
- **Privilege Escalation:** Mimikatz and exploitation of vulnerabilities like Zerologon (in contemporaneous cases).
- **Defense Evasion:** Disabling antivirus (Windows Defender) using PowerShell; clearing event logs.
- **Credential Access:** Scraping LSASS memory and harvesting browser-stored credentials.
- **Discovery:** AdFind and Net view used to map Active Directory and network shares.
- **Lateral Movement:** Remote Desktop Protocol (RDP) and SMB/psexec execution.
- **Collection:** Automated scanning for documents containing "finance," "legal," or "patient."
- **Exfiltration:** Use of cloud storage providers (e.g., Mega[.]nz) or FTP servers.
- **Impact:** RSA+AES-256 encryption of files and deletion of Volume Shadow Copies.
## Impact Assessment
- **Financial:** Multi-million dollar ransom demands per facility; high costs for forensic recovery.
- **Data Breach:** Compromise of protected health information (PHI) and PII.
- **Operational:** Total diversion of emergency room patients and cancellation of elective surgeries due to system downtime.
- **Reputational:** Loss of community trust during a critical public health period.
## Indicators of Compromise
- **Network indicators:**
- 45[.]141[.]84[.]120 (Command and Control)
- hxxps[://]checkip[.]amazonaws[.]com (IP discovery)
- **File indicators:**
- `RyukReadMe.txt` (Ransom note)
- `.ryuk` (File extension)
- **Behavioral indicators:**
- `vssadmin.exe Delete Shadows /all /quiet`
- High volume of RDP traffic between internal workstations and Domain Controllers.
## Response Actions
- **Containment:** Disconnecting compromised sites from the corporate WAN.
- **Eradication:** Wiping affected servers and rebuilding Domain Controllers from clean "off-line" images.
- **Recovery:** Restoration of data from cold backups (where available and unencrypted).
## Lessons Learned
- **Key takeaways:** Attackers will not observe "ceasefires" during humanitarian crises; healthcare remains a high-value target due to low downtime tolerance.
- **Gaps:** Lack of multi-factor authentication (MFA) on remote access points allowed easy lateral movement once credentials were stolen.
## Recommendations
- Implement strictly enforced Multi-Factor Authentication (MFA) across all external and internal gateways.
- Employ an "Offline Backup" strategy to ensure ransomware cannot reach and encrypt backup repositories.
- Perform aggressive email filtering to block macro-enabled attachments and known malicious domains associated with Emotet/TrickBot.