The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

Digital Guardian Provides Customers Protection Following Spread of Ryuk Ransomware

by Tim Bandos on Wednesday March 17, 2021

Contact Us
Free Demo
Chat

We’ve released a free policy pack to help customers, especially those in the healthcare and public health sector, protect against the latest Ryuk ransomware campaign.

Attacks against healthcare providers involving the Ryuk strain of ransomware have increased dramatically this year. Following disruptions at hospital systems in Vermont, New York, Oregon and another in Germany that's believed to have led to a death, the Federal Bureau of Investigation warned the healthcare industry last week that activity related to the ransomware poses an imminent threat to the U.S. hospitals and healthcare providers.

In an alert published last Wednesday, the FBI, the United States Department of Health and Human Services, and the Department of Homeland Security warned that attackers have been distributing TrickBot and BazarLoad malware via phishing campaigns to spread Ryuk ransomware.

While the Ryuk strain of ransomware isn't new - it was first discovered in August 2018 - attacks involving the malware have spiked over the past two months, impacting healthcare facilities already pushed to the brink with COVID-19 hospitalizations.

Digital Guardian is urging all our customers, particularly hospitals and healthcare institutions, to take this threat very seriously. To help combat these attacks, Digital Guardian is releasing a custom Ryuk Ransomware Detection Policy Pack at no cost to any current DG MSP/SaaS customer not currently subscribed to the DG Managed Detection & Response (MDR) service.

This new Ryuk Policy Pack can detect the ongoing Ryuk ransomware campaign and provide alerts to trigger the commencement of mitigation and remediation processes at your organization.

Included in the Ryuk Policy Pack are the following rules:

  • ATP – Ryuk Ransomware – Detection of mass editing of files to known ransomware extensions associated with Ryuk
  • ATP – Shadow Copy Deletion – Detection of attempts to delete the system’s volume shadow copies which are often used as backups to restore or revert files back to a previous state
  • ATP – Ryuk C2 Domain Indicators – Detection of domain network connections to known command and control infrastructure associated with the ransomware campaign
  • ATP – Ryuk C2 IP Indicators – Detection of IP network connections to known command and control infrastructure associated with the ransomware campaign

MSP and SaaS Customers can access the Ryuk Policy Pack by contacting their DG account executive or MSP team representative via normal ticketing procedures. After doing so the required policies will be deployed using approved change control into your managed services environment.

On-Premise Customers can open a ticket with Digital Guardian’s Support Team using normal ticket creation procedures and refer to the free Ryuk Ransomware Policy Pack after which, the policies will be made available for download.

Digital Guardian Advanced Threat & Analysis Center (ATAC) team has been actively acquiring external threat intelligence indicators for Ryuk and deploying mitigations to our Managed Detection and Response (MDR) customers that prevent the infection. Additionally, the ATAC team has validated the DG Endpoint Agent can prevent the encryption routines from being applied to data with the appropriate rules implemented.

Digital Guardian will continue to actively monitor this situation and provide additional instructions as the threat conditions evolve. As with any threat involving ransomware, it’s important to take appropriate measures, including patching software, ensuring data is backed up to an off-network location, and educating employees about the latest threats. Any customer experiencing and indications of an active ransomware infection should contact Digital Guardian and report the problem immediately.

Tags: Company News

Tim Bandos

Tim Bandos, CISSP, CISA is Vice President of Cybersecurity at Digital Guardian and an expert in incident response and threat hunting. He has over 15 years of experience in the cybersecurity realm at a Fortune 100 company with a heavy focus on Internal Controls, Incident Response & Threat Intelligence. At this global manufacturer, he built and managed the company’s incident response team. Tim has a wealth of practical knowledge gained from tracking and hunting advanced threats targeted at stealing highly sensitive data.

Recommended Resources


  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business