If you are in the Healthcare of Public Health Sector this is critical for you to be aware of.

Summary
This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) version 7 framework. 

This joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS). This advisory describes the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health Sector (HPH) to infect systems with Ryuk ransomware for financial gain.

CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers. CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.
Click here for a PDF version of this report.

Key Findings

  • CISA, FBI, and HHS assess malicious cyber actors are targeting the HPH Sector with Trickbot malware, often leading to ransomware attacks, data theft, and the disruption of healthcare services.
  • These issues will be particularly challenging for organizations within the COVID-19 pandemic; therefore, administrators will need to balance this risk when determining their cybersecurity investments.

Technical Details

Threat Details
Since 2016, the cybercriminal enterprise behind Trickbot malware has continued to develop new functionality and tools increasing the ease, speed, and profitability of victimization. What began as a banking trojan and descendant of Dyre malware, now provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. These activities include credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and the deployment of ransomware, such as Ryuk. In early 2019, the FBI began to observe new Trickbot modules named Anchor, which cyber actors typically used in attacks targeting high-profile victims—such as large corporations. These attacks often involved data exfiltration from networks and point-of-sale devices. As part of the new Anchor toolset, Trickbot developers created Anchor_DNS, a tool for sending and receiving data from victim machines using Domain Name System (DNS) tunneling.

Anchor_DNS is a backdoor that allows victim machines to communicate with command and control (C2) servers over DNS to evade typical network defense products and make their malicious communications blend in with legitimate DNS traffic. Anchor_DNS uses a single-byte XOR cipher to encrypt its communications, which have been observed using key 0xB9. Once decrypted, the string Anchor_DNS can be found in the DNS request traffic.

Trickbot Indicators of Compromise
After successful execution of the malware, Trickbot copies itself as an executable file with a 12-character (includes .exe), randomly generated file name (e.g. mfjdieks.exe) and places this file in one of the following directories.

  • C:\Windows\
  • C:\Windows\SysWOW64\
  • C:\Users\[Username]\AppData\Roaming\

The malware may also drop a file named anchorDiag.txt in one of the directories listed above.
Prior to initiating communications with the C2 server, the malware uses an infection marker of Global\fde345tyhoVGYHUJKIOuy, typically found in the running memory of the victim machine.

Part of the initial network communications with the C2 server involves sending information about the victim machine such as its computer name/hostname, operating system version, and build via a base64-encoded GUID. The GUID is composed of /GroupID/ClientID/ with the following naming convention:
/anchor_dns/[COMPUTERNAME]_[WindowsVersionBuildNo].[32CharacterString]/.

The malware uses scheduled tasks that run every 15 minutes to ensure persistence on the victim machine. The scheduled task typically uses the following naming convention.
[random_folder_name_in_%APPDATA%_excluding_Microsoft]
autoupdate#[5_random_numbers] (e.g., Task autoupdate#16876).

After successful execution, Anchor_DNS further deploys malicious batch scripts (.bat) using PowerShell commands.

The malware deploys self-deletion techniques by executing the following commands.

  • cmd.exe /c timeout 3 && del C:\Users\[username]\[malware_sample]
  • cmd.exe /C PowerShell \"Start-Sleep 3; Remove-Item C:\Users\[username]\[malware_sample_location]\"

The following domains found in outbound DNS records are associated with Anchor_DNS.

  • kostunivo[.]com
  • chishir[.]com
  • mangoclone[.]com
  • onixcellent[.]com

This malware used the following legitimate domains to test internet connectivity.

  • ipecho[.]net
  • api[.]ipify[.]org
  • checkip[.]amazonaws[.]com
  • ip[.]anysrc[.]net
  • wtfismyip[.]com
  • ipinfo[.]io
  • icanhazip[.]com
  • myexternalip[.]com

The Anchor_DNS malware historically used the following C2 servers.

  • 23[.]95[.]97[.]59
  • 51[.]254[.]25[.]115
  • 193[.]183[.]98[.]66
  • 91[.]217[.]137[.]37
  • 87[.]98[.]175[.]85

Ryuk Ransomware
Typically Ryuk has been deployed as a payload from banking Trojans such as Trickbot. (See the United Kingdom (UK) National Cyber Security Centre (NCSC) advisory, Ryuk Ransomware Targeting Organisations Globally, on their ongoing investigation into global Ryuk ransomware campaigns and associated Emotet and TrickBot malware.) Ryuk first appeared in August 2018 as a derivative of Hermes 2.1 ransomware, which first emerged in late 2017 and was available for sale on the open market as of August 2018. Ryuk still retains some aspects of the Hermes code. For example, all of the files encrypted by Ryuk contain the HERMES tag but, in some infections, the files have .ryuk added to the filename, while others do not. In other parts of the ransomware code, Ryuk has removed or replaced features of Hermes, such as the restriction against targeting specific Eurasia-based systems.
While negotiating the victim network, Ryuk actors will commonly use commercial off-the-shelf products—such as Cobalt Strike and PowerShell Empire—in order to steal credentials. Both frameworks are very robust and are highly effective dual-purpose tools, allowing actors to dump clear text passwords or hash values from memory with the use of Mimikatz. This allows the actors to inject malicious dynamic-link library into memory with read, write, and execute permissions. In order to maintain persistence in the victim environment, Ryuk actors have been known to use scheduled tasks and service creation.

Ryuk actors will quickly map the network in order to enumerate the environment to understand the scope of the infection. In order to limit suspicious activity and possible detection, the actors choose to live off the land and, if possible, use native tools—such as net view, net computers, and ping—to locate mapped network shares, domain controllers, and active directory. In order to move laterally throughout the network, the group relies on native tools, such as PowerShell, Windows Management Instrumentation (WMI), Windows Remote Management , and Remote Desktop Protocol (RDP). The group also uses third-party tools, such as Bloodhound.
Once dropped, Ryuk uses AES-256 to encrypt files and an RSA public key to encrypt the AES key. The Ryuk dropper drops a .bat file that attempts to delete all backup files and Volume Shadow Copies (automatic backup snapshots made by Windows), preventing the victim from recovering encrypted files without the decryption program.

In addition, the attackers will attempt to shut down or uninstall security applications on the victim systems that might prevent the ransomware from executing. Normally this is done via a script, but if that fails, the attackers are capable of manually removing the applications that could stop the attack. The RyukReadMe file placed on the system after encryption provides either one or two email addresses, using the end-to-end encrypted email provider Protonmail, through which the victim can contact the attacker(s). While earlier versions provide a ransom amount in the initial notifications, Ryuk users are now designating a ransom amount only after the victim makes contact.

The victim is told how much to pay to a specified Bitcoin wallet for the decryptor and is provided a sample decryption of two files.

Initial testing indicates that the RyukReadMe file does not need to be present for the decryption script to run successfully but other reporting advises some files will not decrypt properly without it. Even if run correctly, there is no guarantee the decryptor will be effective. This is further complicated because the RyukReadMe file is deleted when the script is finished. This may affect the decryption script unless it is saved and stored in a different location before running.