contact us

Ryuk is Raising the Temperature in Healthcare

Nov 2, 2020

Ransomware attacks on hospitals and health care companies are growing deadlier by the day. August 2020 saw the first recorded fatality in Germany when a ransomware attack on a hospital resulted in a patient’s death because the facility had to shut-down and turn-away patients. 

Hospitals and the health care industries have long been a target for ransomware groups as they cannot afford downtime, especially while dealing with a pandemic. Data, information, and records are sacrosanct at a hospital without which they can’t function or provide treatment to their patients. 

Secondly, keeping pace with cybersecurity is low in this industry as security staffing and expertise are limited. With the broadest set of diverse systems, devices, and applications to manage very few hospitals can fully-validate business continuity or contingency plans for a ransomware attack. These systems are all critical and need to be continuously running, factors make the chances of a ransom pay-out high – undoubtedly a fact that motivates threat actors like Ryuk.

Early this month, Universal Health Services was attacked by Ryuk, leading to a shutdown of their entire network (250 hospitals in the US). Emboldened by this attack, it is now known that Ryuk is planning to strike at hundreds of hospitals, clinics, and health care facilities in the US. 

Security Agencies CISA (Cybersecurity and Infrastructure Security Agency), FBI, and the Department of Health and Human Services (HHS) have issued a high alert joint security advisory to hospitals to take action to secure themselves from Ryuk ransomware in particular. 

The advisory also warns hospitals about malware (TrickBot and BazarLoader) used by Ryuk to deliver the ransomware and the IoCs to check whether your hospital has been compromised. 

Known as one of the largest botnets globally, TrickBot is a banking trojan that has evolved into an all-purpose malware downloader distributing malware, stealing credentials, emails, and spreading the ransomware Ryuk.

BazarLoader malware is typically deployed through phishing emails with links to google drive documents controlled by threat actors. These emails are dressed up to resemble legitimate communications from an employer or a contact.

The advisory also lists Indications of Compromise (IoC) to check whether your hospital’s systems have been affected by this malware but we believe that they may be of little or no use if Ryuk has already compromised your network.

TrickBot and BazarLoader are malware instances that are uniquely customized to target their victims. Therefore, the only solution to escape them is to patch the vulnerabilities that Ryuk targets.

Interestingly, all the CVEs found associated with Ryuk are older vulnerabilities ranging from 2017 to mid-2019. Of these, CVE-2018-20685, CVE-2017-0147, CVE-2019-6109, CVE-2019-6110, and CVE-2019-6111 have low CVSSv2 and CVSSv3 scores – which is why they fly under the radar and would not be prioritized for a fix by security teams. It is important to focus on vulnerabilities that are weaponized rather than just the CVSS scores.

Ransomware attacks on the healthcare industry, especially, during a pandemic is a dangerous assault on many counts. It not only puts a strain on the health workers but also disrupts and delays patient treatment programs which can have deadly repercussions. 

CVEs associated with Ryuk

Our analysis shows that Ryuk is associated with the following CVEs, and if your hospital is using these products, then these vulnerabilities and weaknesses need to be patched. Download the full Ryuk CVE listing with APT and patch details.