Search This Blog

Showing posts with label Ryuk Ransomware. Show all posts

Ryuk Ransomware: What Can We Learn From DCH Cyberattack?

Hackers have profited a lot from the Covid-19 pandemic by targeting health institutions, let us look back and learn from these attacks. For a very long time, cybercriminals have been attacking healthcare institutions, one fine example is the "DCH ransomware" attack. E Hacking News in this article analysis the events of the DCH ransomware incident, and how Alabama healthcare dealt with the attack.  

About the attack
Alabama's DCH health system was hit by a ransomware attack in October 2019. The attack forced DHS to shut down its 3 state units named- Fayette Medical Center, Northport Medical Center, and Tuscaloosa’s DCH Regional Medical Center. Because of the attack, the computer systems in the 3 hospitals stopped working and the hospital staff couldn't access important files and patient records. DCH took applied emergency measures to deal with the crisis, the hospitals took in critical patients, whereas non-critical cases were transferred off to other health institutions, and only admitted after 10 days.  

About DCH Ransomware 
Hackers attacked DCH systems using a strain of Ryuk ransomware, the malware used by Wizard Spider, a Russian hacking group. Ryuk uses malicious social engineering techniques and uses phishing attacks to trick users into opening false links. Once opened, the malware deploys itself with the target device. When Ryuk is successfully deployed, it gets into the system codes and stops the device from functioning. It is followed by encryption and the last step is demanding ransom.  

Aftermaths of the Ransomware Attack 
DCH couldn't continue it's healthcare services for 10 days due to the partial disruption caused by the ransomware. Four patients filed a lawsuit against DCH for violating "information privacy law" and affecting their medical treatment during the ransomware attack. The lawsuit stated, "because of the ransomware attack, plaintiffs and class members had their medical care and treatment, as well as their daily lives, disrupted." "As a consequence of the ransomware locking down the medical records of plaintiffs and class members, plaintiffs and the class members had to forego medical care and treatment or had to seek alternative care and treatment."

A quick look into malwares that installs ransomware : Remove them form your system immediately

 

We recently looked into ways phishing mails are evolving, attackers getting creative by the day. But a new trend has taken up the dark web, and soon phishing campaigns for ransomware and malware will be a thing of the past. With the sources equable of a small government, malware gangs have started collaborating within themselves and have come up with "initial access brokers," what these groups do is provide ransomware and other groups with already infected systems.
Compromised systems through RDP endpoints, backdoored networking devices, and malware-infected computers install ransomware into the network, this makes the ransomware attacker work as swiftly as cutting into the cake. 

 There are currently three types of bookers that serve ransomware : 

Selling compromised RDP endpoints: These bookers carry a brute remote desktop protocol (RDP) into corporate systems, sold as "RDP Shops". Ransom groups often choose systems that are integrated well within the network.

Selling hacked networking devices: Hackers sell pre hacked devices exploiting publically known vulnerabilities or weak spots like firewalls, VPN servers or others. Access to these devices is auctioned off on dark web forums.

Selling computers pre-infected with malware: This is the most popular way ransomware is spread. Hacking gangs spread their malware bots into well-established systems and sell them to the highest bidder who further injects ransomware into the system. 

The best protection against these attacks is to prevent them from happening. The first two infiltrations can be fended off using strong passwords, security measures, and regular updates. The third means (malware) is a bit complicated as it uses human blunder and tricks to invade the device.

Following is a list of malware that if you find in your system, drop everything and fix them out for they are sure to inject ransomware in your network:

  •  Emotet (Emotet-Trickbot-Ryuk) 
  •  Trickbot (Ryuk - Conti)
  •  BazarLoader (Ryuk) 
  • QakBot (MegaCortex-ProLock-Egregor) 
  •  SDBBot (Clop)
  •  Dridex (BitPaymer-DoppelPaymer) 
  • Zloader (Egregor-Ryuk)
  •  Buer Loader (Ryuk)

University of Vermont Health Network Suffers Cyberattack, Six Hospitals Affected

 

University of Vermont's health network suffered a cyberattack, which has impacted its network infrastructure. The attack has hit six Vermont and New York hospitals. Spokesperson Neil Goswami says that the FBI is currently working with the network and Vermont department of public safety to look into the issue. President of the University of Vermont Medical Center in Burlington, Dr. Stephen Leffler, in a news conference, said that patients in need are getting the possible health services and treatment is not affected. 

He also said that patient appointments are not affected, and the surgeries are postponed for tomorrow due to the network's disruption. "Patients may experience delays at Central Vermont Medical Center in Berlin and Champlain Valley Physicians Hospital in Plattsburgh, New York, he said. And patients of physician practices at Elizabethtown Community Hospital in Elizabethtown, New York, may experience slight delays," says Dr. Goswami. Earlier, the FBI and other federal agencies had notified that they had probable data confirming an increase in cyberattacks on the healthcare industry in the U.S. 

Cybersecurity experts say that the Ryuk ransomware has attacked at least five hospitals this week and is expected to impact a hundred more. The FBI, however, has not confirmed whether the attack on UVM was caused by ransomware. It is still looking into the issue of a potential cyberattack and local and state agencies. Even Dr. Leffler confirms that he has not been contacted for any ransom to date. UVM Medical Centre had an idea that something wasn't right, and in response, it had closed down its network systems to protect patient information. 

As per Dr. Leffler, no patient information has been leaked, and data is also safe, and that the hospital is looking into the incident. However, it will take some time for the health network to restore and for services to be regular. According to the health department, "Vermonters may continue to get coronavirus testing through Health Department-led clinics, but the results reported through the UVM Medical Center will be affected." Health officials say that no patient data has been compromised, and all records are safe.

US Security Department Issue Potential Trickbot and Malware Attack Warning to Health Department

 

The United States Healthcare providers have been alerted to vary of Trickbot and ransomware attacks by their Homeland Security department.
The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services of US-issued out a warning of "imminent cybercrime threat to US hospitals and healthcare providers" regarding an infection from Trickbot and ransomware. 

Already heavy with the burden of coronavirus, the US health department now faces another cybersecurity threat from Trickbot, one of the largest botnets worldwide, and Ryuk Ransomware, a lethal and savage malware on its own. Even Microsoft recently took legal action against Trickbots earlier this month.

Earlier, Trickbot was a banking trojan attacking users via Webfakes (where it redirects the user to a fake webpage made by the attackers instead of the original banking webpage; accessing the user's login and other credentials) and through WebInjections (wherewith the website that the user is trying to access, some malware injections will be initiated and downloaded). Now with a million infections, Trickbot has evolved into a full-fledged malware.

 "As part of the new Anchor toolset, Trickbot developers created Anchor_DNS, a tool for sending and receiving data from victim machines using Domain Name System (DNS) tunneling," CISA said in the alert. 

Using anchor DNS, lets the malware to bypass the legit DNS and with it bypassing network defense security and evade recognition.

Other countries like the UK and Australia also predict a potential attack by Ryuke or Trickbot. Australian Cyber Security Centre (ACSC) warned Australian companies about Emotet malware, which is used contemporaneity with Trickbot. "Upon infection of a machine, Emotet is known to spread within a network by brute-forcing user credentials and writing to shared drives. Emotet often downloads secondary malware onto infected machines to achieve this, most frequently Trickbot," the ACSC wrote in a warning.

Ryuk Ransomware Making Comeback with New Tools and Techniques

 

Ryuk ransomware has gained immense popularity in the notorious sphere of cybercrime by 2019. It has been on a rise both in terms of its reach and complexity as it goes about demanding ransoms worth multi-million-dollars from large organizations, local governments, and healthcare institutions. 
 
In one of their latest development, the operators of the malware have configured it to deploy a Trojan named ‘BazarLoader’ which is operated by the same threat group that is behind Trickbot. However, BazarLoader Trojan is equipped with advanced techniques to evade detection; the potential for long term infection in BazarLoader hints towards a change that the operators have brought in Ryuk’s plan of action. 
 
Ryuk is well-planned and targeted ransomware that is being operated since 2018 by WIZARD SPIDER, a Russia-based operator of the TrickBot banking malware, and the criminals behind this ransomware largely focus on big companies in order to acquire an exorbitant amount in ransom. 
 
After gaining access, Ryuk is programmed to permeate network servers as files are exchanged between systems. The malware is circulated via malicious email attachments and once it gathers all the important data from a given network, it lets the authors of Ryuk Ransomware acquire administrator credentials and gain access to the harvested data from the network, the malware does so by opening a shell back to the actors operating the threat. 
 
It takes only 29 hours to successfully carry out a complete attack on the network it is targeting; the process entails the entire series of incidents beginning from the spam mail to the successful encryption of data, as per the findings of DFIR. 
 
Threat actors behind ransomware attacks are rapidly evolving their attack vectors as the count of Ransomware attacks surge up to 365 percent over the past year. Owing to its ever-expanding operations, Ryuk made it to the notorious list of ransomware gangs having their own data leak websites wherein they release the data of companies who refuse to pay the demanded amount. 
 
The malware is continually changing itself to become more and more sophisticated, leaving companies with no option but to pay the extortionate amounts. The threat has expanded its reach beyond just private organizations and has also been recorded to target National services’ computers.

White House To Update U.S’s Approach To Its Maritime Cybersecurity Strategy In Coming Months

 

With hopes to upgrade the U.S. government's approach to deal with its maritime cybersecurity strategy in the coming months, the Trump administration is presently attempting to improve and further secure down the United States' ability to 'project power at sea' and guard against adversarial cyberattacks. 
Their plan incorporates re-evaluating the national approach to deal with data sharing and better emphasizing the utilization of operational technologies in ports, as per one senior administration official. 

When two officials were approached to comment they declined on revealing any particular data about the administration's plans, saying more info would be very soon be made public. 

Yet, hackers have already begun their work, they have been for long focusing on shipping firms and the maritime supply chain to steal any data associated with the U.S. government or intrude on cargo operations and activities. 

Utilizing a strain of ransomware known as Ryuk, the hackers have undermined computer networks at a maritime transportation office a year ago simultaneously disrupting tasks for 30 hours, as per the U.S. Coast Guard. 

This declaration comes in the midst of a few endeavors at the Department of Defense to test preparedness and readiness against cyberattacks in the maritime domain. 

The Pentagon's offensive unit, Cyber Command, duplicated a cyberattack a year ago on a seaport. The Army is likewise taking an interest in an activity intended to 'simulate adversaries' focusing on U.S. ports this month. 

As of late, the Trump administration has been worried about a ransomware attack focused explicitly on a transportation organization, “affected COVID-19 supply chains in Australia,” which one senior organization official said.

 “Adversaries frequently interfere with ship or navigation systems by targeting position or navigation systems through spoofing or jamming, causing hazards to shipping,” one senior administration official said.

New Orleans: Mayor Declares State of Emergency after a Cyberattack


The city of New Orleans after being hit by a cyberattack, declared a state of emergency wherein the employees and officials were asked to shut down the computers, power down devices by unplugging and take down all servers as a cautionary measure. As a part of the incident, The Nola.gov website was also down.

Officials suspect the involvement of ransomware as the attacks demanding ransom has become increasingly common in the recent past and ransomware was detected as per Mayor LaToya Cantrell, however, there is no confirmatory lead on the matter as the city has not received any ransom demand from the attackers.

Earlier this year, in November, The State of Louisiana was hit by a ransomware attack which prompted officials to shut down government websites and deactivate other digital services and consequently, a state of emergency was being declared by the governor. As per the sources, it is the gravest cyber attack the state had witnessed till date, it took about two weeks for the authorities to restore all the systems and make them functional again. The attack was followed by aggressive measures being taken by the security officers who classified the attack being a "sophisticated and coordinated" one. As per the latest findings, it remains unclear whether the two attacks are linked to each other or not.

While drawing other correlations, New Orleans Mayor LaToya Cantrell referenced the attack back to one where several school systems in Louisiana were attacked by malware. The compromised school systems were from Sabine, Morehouse, and Ouachita, according to the reports by CNN.

“Out of an abundance of caution, all employees were immediately alerted to power down computers, unplug devices & disconnect from WiFi. All servers have been powered down as well,” stated a tweet from New Orleans’ Office of Homeland Security & Emergency Preparedness.

During a press conference in regard of the matter, Mayor LaToya Cantrell said, “We have a unified command, we’re here with not only our local partners but our state and federal partners as well, which includes our national guard, Louisiana state police, FBI, the state fusion center and secret service."

Anti-Virus Maker Discovers A Bug within Ryuk Ransomware


An antivirus maker discovered a bug in the decrypter application of the Ryuk Ransomware, the application "the Ryuk gang" basically provides to victims to recoup their files after they paid the ransom.

While the bug causes a deficient recuperation of certain types of documents, prompting data loss, regardless of whether the victim paid the ransom demand, the primary issue, as elaborated by the antivirus maker Emsisoft in a blog post, is that the decrypter shortens one byte from the end of each file it decodes.

The secondary issue is that the Ryuk gang's decryptor additionally erases the original encoded files, which means that the victims can't re-run the 'decryption operation' again with a "fixed" decryptor. 

While the last byte in many records is there for cushioning and is generally unused, for some file extensions those bytes contain essential data that when expelled will permanently degenerate that information and thusly prevent the document from being opened.

"A lot of virtual disk type files like VHD/VHDX as well as a lot of database files like Oracle database files will store important information in that last byte and files damaged this way will fail to load properly after they are decrypted," Emsisoft says.

"We're hoping to get the word out about this as quickly and widely as possible so that affected organizations can avoid data loss,"
 - Emsisoft representative Brett Immature told ZDNet. 

Emsisoft advised the victims to connect by means of ryukhelp@emsisoft.com to have its analysts fix the decrypter they got from the Ryuk gang.

 In any case, while Emsisoft is the organization who discharged the most "free ransomware decrypters" in the past, this is a 'paid service', as it infers its experts attempting to address each decrypter partially, a very tedious undertaking.

Infections attributed to Ryuk include - manage service provider T-Systems, financial service provider ASD Audit, insulating technology manufacturer TECNOL, automation tool manufacturer Pliz, city of New Bedford (US), Tribune Publishing, managed service provider PerCSoft, healthcare provider CorVel, IT service provider CloudJumper, the city of Lake City (US), and many other more.

Alert! TrickBot Trojan and Ryuk Ransomware spreads through Japan, as the holiday season approaches


The most dangerous and active banking trojan family according to IBM X-Force data, TrickBot has been modifying it's malware’s modules lately, as the threat group launches in the wild. As the infection campaign spreads around the globe - Japan has become its new growing target ahead of the holiday season. Just ahead of the holiday's TrickBot campaigns usually target European and western countries and other parts of the world but this is the first time they have focused on Japan.


And also, just in time for the holidays when they'll be shopping extensively. Thus, the Japanese consumers should be wary of these infections as they target banks, online shopping payment cards, telecommerce, a bitcoin exchange, e-wallets, and others. TrickBot has been loaded with hundreds of targeted URLs belonging to banks and other retailers. Emotet botnet is also dropping TrickBot to other devices.

The most common attack includes web injections on bank websites leading to banking frauds. On-the-fly injections, used by TrickBot lures the victim into revealing personally identifiable information (PII), payment card details and PIN codes. This is not the first time Eastern European gangs attacked the country, other trojans like URLZone and Gozi (Ursnif) have been prevalent in Japan for years now. For Japanese Businessmen - Beware! Not only TrickBot but Ryuk Ransomware is also spreading through the region TrickBot, being already a worrisome banking plague is not only limited to that.

The Japanese companies should also be wary of the growing ransomware attacks because the TrickBot can usher in Ryuk Ransomware Attacks along with it. It's a kill chain that starts with Emotet and TrickBot and leads to Ryuk attack, ransomware that locks the system demanding millions of dollars. If such Ryuk or TrickBot attack is suspected, then you should immediately launch response plans and contain the infection or contact security companies without wasting precious time as these infections spread fast and wide.