Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

SECURITY ALERT: October 2020 - Imminent and Increased Cybercrime Threat to US Hospitals and Healthcare Providers

    • Updated:
    • 21 Apr 2021
    • Product/Version:
    • Apex One All
    • Apex One as a Service
    • Cloud One - Workload Security All
    • Deep Security All
    • Deep Security All
    • OfficeScan All
    • Worry-Free Business Security Advanced All
    • Worry-Free Business Security Services All
    • Worry-Free Business Security Standard All
    • Platform:
On October 28, 2020, a U.S. Joint Cybersecurity Advisory was issued concerning a credible and imminent ransomware threat against U.S. hospitals and healthcare institutions. The focus is around the utilization of RYUK ransomware.

From the alert
CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers. CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.

Key Findings

  • CISA, FBI, and HHS assess malicious cyber actors are targeting the HPH Sector with Trickbot malware, often leading to ransomware attacks, data theft, and the disruption of healthcare services.
  • These issues will be particularly challenging for organizations within the COVID-19 pandemic; therefore, administrators will need to balance this risk when determining their cybersecurity investments.

Protection Recommendations

Trend Micro is continually monitoring and adding new detections and protection to threats related to these threats.  In addition to ensuring that your security products are currently updated with the latest patterns and signatures, below are several other recommendations for all customers:
  • Ensure that all Trend Micro endpoint and server protection products' (e.g. Apex One, Cloud One - Workload Security, OfficeScan, Deep Security, Worry-Free Business Security) critical features such as Ransomware Protection, Predictive Machine Learning and Behavior Monitoring features are enabled and optimally configured.
  • In addition, specifically for Cloud One - Workload Security & Deep Security customers, it is recommended that Agent Self-Protection is enabled.
  • Ensure all domain controllers are patched for Zerologon. Threat actors are taking advantage of this vulnerability to gain domain level access.
    • Ryuk takes advantage of those domain admin credentials to remotely access and encrypt disks through the admin shares on Windows PC. This means that no malware code ever runs on the system that gets encrypted. Customers should consider blocking access to the ports that enable this file sharing if they are worried about this threat.
  • It has been observed that recent updates made to Ryuk in the wild show that it attempts to encrypt files using Windows administrative shares.  Due to this, users should considered either completely disabling administrative shares completely or block access via their firewall solutions - depending on the various needs of the organization.
  • Disable Powershell with Group Policy.  Powershell is often used in malware attacks on your network. Unless absolutely necessary, another layer of protection would be to disable this service.
  • Regularly backup all data, air gap and password protect backup copies *offline*.
    • Maintain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.

Additional Information

From the Trend Micro Solution Article 1123892 - Ryuk Ransomware is operated by a Russia-based criminal group, since August 2018. Targeting large organizations for a high-ransom return (big game hunting). This group is known for the operation of Trickbot banking malware.

Identifying Ryuk’s infection vectors is difficult given the ransomware will typically delete all evidence of its dropper as part of its routine.

Please review the entire Joint Cybersecurity Advisory for additional recommendations and best practices. More specific Trend Micro information can be found in Solution ID 1112223.

We will be providing additional information on this current and ongoing threat as details emerge. In the meantime, please contact Trend Micro support for any assistance needed in configurating your protections from this threat.
Configure; Remove a Malware / Virus
Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.