Search This Blog

Thursday, October 29, 2020

FBI, DHS warn of hospital cyberattacks as Ryuk ransomware returns

Ryuk ransomware fell off the radar when the coronavirus began its global spread. Its silence hinted at its expiration or a rebrand in the form of the Conti ransomware.

Really, Ryuk was just in hibernation between April and August.

On a call with the FBI, Department of Homeland Security and HHS, the agencies warned the healthcare industry of a potential ransomware attack. "CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers," the alert said.

The expected onslaught of Ryuk ransomware could reach up to 400 hospitals, Alex Holden, CEO of Hold Security, told cybersecurity journalist Brian Krebs.

"Maybe Ryuk's time had come and gone. Obviously, we were really, really wrong," said Aaron Stephens, senior threat analyst on Mandiant's FLARE Advanced Practices Team, while speaking during a SANS Institute webcast Wednesday.

Mandiant found that threat group UNC1878 is responsible for one-fifth of Ryuk intrusions. "Herein lies our monster," Stephens said. The cybersecurity firm released research on UNC1878's indicators Wednesday following news of attacks on hospitals.

Mandiant researchers coined "UNC," shorthand for uncategorized, as part of their research processes, they needed "UNCs" to help organize unique malicious activity.

"At a fundamental level UNCs serve as labels for which you can bucket indicators and techniques into. This labeled bucket would then act as technical anchor for what we are seeing is related activity," said Van Ta, senior threat analyst on Mandiant's FLARE Advanced Practices Team, speaking on the webcast. "Instead of labeling an evidence bag, 'the Overlook Hotel', we're labeling it UNC1878." 

When enough UNCs are identified, researchers can cross section overlaps or see where UNCs graduate into different classifications, or threat groups. UNC1878 was created in January and within two months Mandiant picked up UNC1878's "formative years," where it developed its strategies, Ta said.

In September, "we began to see Ryuk make its harrowing return. It wasn't dead. It was undead," Stephens said.

The actors behind Ryuk are credited with collecting more than $61 million between February 2018 and October 2019, according to the FBI, making it one of the most profitable strains. Retirement didn't seem likely.

Ryuk-related incidents increased from 5,123 in Q3 2019 to 67.3 million in Q3 2020, according to research from SonicWall Capture Labs. The company relied on more than 1 million global sensors to collect cyberattack data through September.

Ryuk reportedly targeted major health system Universal Health Services in September and French IT services firm Sopra Steria earlier this month. Last week, furniture manufacturer Steelcase disclosed a cyberattack on its IT systems in an SEC filing. Sources told Bleeping Computer Ryuk was behind the attack.

https://www.healthcaredive.com/news/Ryuk-FBI-DHS-ransomware-healthcare/588019/


No comments:

Post a Comment

Note: Only a member of this blog may post a comment.