From the alert
CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers. CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.
- CISA, FBI, and HHS assess malicious cyber actors are targeting the HPH Sector with Trickbot malware, often leading to ransomware attacks, data theft, and the disruption of healthcare services.
- These issues will be particularly challenging for organizations within the COVID-19 pandemic; therefore, administrators will need to balance this risk when determining their cybersecurity investments.
Trend Micro is continually monitoring and adding new detections and protection to threats related to these threats. In addition to ensuring that your security products are currently updated with the latest patterns and signatures, below are several other recommendations for all customers:
- Ensure that all Trend Micro endpoint and server protection products' (e.g. Apex One, Cloud One - Workload Security, OfficeScan, Deep Security, Worry-Free Business Security) critical features such as Ransomware Protection, Predictive Machine Learning and Behavior Monitoring features are enabled and optimally configured.
- In addition, specifically for Cloud One - Workload Security & Deep Security customers, it is recommended that Agent Self-Protection is enabled.
- Ensure all domain controllers are patched for Zerologon. Threat actors are taking advantage of this vulnerability to gain domain level access.
- Ryuk takes advantage of those domain admin credentials to remotely access and encrypt disks through the admin shares on Windows PC. This means that no malware code ever runs on the system that gets encrypted. Customers should consider blocking access to the ports that enable this file sharing if they are worried about this threat.
- It has been observed that recent updates made to Ryuk in the wild show that it attempts to encrypt files using Windows administrative shares. Due to this, users should considered either completely disabling administrative shares completely or block access via their firewall solutions - depending on the various needs of the organization.
- Disable Powershell with Group Policy. Powershell is often used in malware attacks on your network. Unless absolutely necessary, another layer of protection would be to disable this service.
- Regularly backup all data, air gap and password protect backup copies *offline*.
- Maintain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.
From the Trend Micro Solution Article 1123892 - Ryuk Ransomware is operated by a Russia-based criminal group, since August 2018. Targeting large organizations for a high-ransom return (big game hunting). This group is known for the operation of Trickbot banking malware.
Identifying Ryuk’s infection vectors is difficult given the ransomware will typically delete all evidence of its dropper as part of its routine.
Please review the entire Joint Cybersecurity Advisory for additional recommendations and best practices. More specific Trend Micro information can be found in Solution ID 1112223.
We will be providing additional information on this current and ongoing threat as details emerge. In the meantime, please contact Trend Micro support for any assistance needed in configurating your protections from this threat.