Attacks against healthcare providers involving the Ryuk strain of ransomware have increased dramatically this year. Following disruptions at hospital systems in Vermont, New York, Oregon and another in Germany that's believed to have led to a death, the Federal Bureau of Investigation warned the healthcare industry last week that activity related to the ransomware poses an imminent threat to the U.S. hospitals and healthcare providers.
In an alert published last Wednesday, the FBI, the United States Department of Health and Human Services, and the Department of Homeland Security warned that attackers have been distributing TrickBot and BazarLoad malware via phishing campaigns to spread Ryuk ransomware.
While the Ryuk strain of ransomware isn't new - it was first discovered in August 2018 - attacks involving the malware have spiked over the past two months, impacting healthcare facilities already pushed to the brink with COVID-19 hospitalizations.
Digital Guardian is urging all our customers, particularly hospitals and healthcare institutions, to take this threat very seriously. To help combat these attacks, Digital Guardian is releasing a custom Ryuk Ransomware Detection Policy Pack at no cost to any current DG MSP/SaaS customer not currently subscribed to the DG Managed Detection & Response (MDR) service.
This new Ryuk Policy Pack can detect the ongoing Ryuk ransomware campaign and provide alerts to trigger the commencement of mitigation and remediation processes at your organization.
Included in the Ryuk Policy Pack are the following rules:
- ATP – Ryuk Ransomware – Detection of mass editing of files to known ransomware extensions associated with Ryuk
- ATP – Shadow Copy Deletion – Detection of attempts to delete the system’s volume shadow copies which are often used as backups to restore or revert files back to a previous state
- ATP – Ryuk C2 Domain Indicators – Detection of domain network connections to known command and control infrastructure associated with the ransomware campaign
- ATP – Ryuk C2 IP Indicators – Detection of IP network connections to known command and control infrastructure associated with the ransomware campaign
MSP and SaaS Customers can access the Ryuk Policy Pack by contacting their DG account executive or MSP team representative via normal ticketing procedures. After doing so the required policies will be deployed using approved change control into your managed services environment.
On-Premise Customers can open a ticket with Digital Guardian’s Support Team using normal ticket creation procedures and refer to the free Ryuk Ransomware Policy Pack after which, the policies will be made available for download.
Digital Guardian Advanced Threat & Analysis Center (ATAC) team has been actively acquiring external threat intelligence indicators for Ryuk and deploying mitigations to our Managed Detection and Response (MDR) customers that prevent the infection. Additionally, the ATAC team has validated the DG Endpoint Agent can prevent the encryption routines from being applied to data with the appropriate rules implemented.
Digital Guardian will continue to actively monitor this situation and provide additional instructions as the threat conditions evolve. As with any threat involving ransomware, it’s important to take appropriate measures, including patching software, ensuring data is backed up to an off-network location, and educating employees about the latest threats. Any customer experiencing and indications of an active ransomware infection should contact Digital Guardian and report the problem immediately.
