03 April 2020
Threat actor behind Ruyk malware continues attacks on medical facilities despite epidemic
Unlike the criminal groups behind DoppelPaymer and Maze malware, which have promised not target medical organizations during the pandemic, Ryuk operators continue to attack hospitals and demand ransom for decrypting files. It has been reported that ten US healthcare organizations have fallen victim to Ryuk in the past month.
These Ryuk attacks are based on an already familiar infection scenario that involves phishing emails and TrickBot malware. TrickBot enables the attackers to connect to infected computers and explore the attacked organization’s network. Its operators try to find vulnerable systems and steal user credentials.
The attackers’ objective is to gain access to systems running the services that are critical for the organization under attack. These are the systems on which the Ryuk malware encrypts data.
Ryuk uses strong encryption. Unfortunately, this means that decrypting files without the private encryption key held by the attackers is impossible. However, risks associated with losing access to data can be mitigated if the organization is prepared for this type of attack or detects it in its initial stage.
We recommend taking the following measures:
- Install antivirus software with centralized security policy management on all systems; keep the antivirus databases and program modules of your security solutions up to date. Allow antimalware protection to be disabled only after entering the administrator password (it this policy is not active, attackers can disable antivirus solutions after they have gained remote control of the system).
- Regularly back up data; store the backup copies securely, verify their integrity and ensure that they are up to date so that the data can easily be recovered in an emergency.
- Install security updates for the operating system and application software un a timely manner.
- Restrict the use of RDP and third-party remote administration utilities to the extent possible. Use only strong passwords for user accounts with the right to manage the organization’s systems remotely via RDP. Avoid storing passwords in plaintext and regularly change them.
- If there are signs of an attack (if the TrickBot malware is detected), isolate the systems under attack from the enterprise network and force a password change for all user accounts that may have been compromised.
- Train enterprise employees to use email securely and, specifically, to recognize phishing emails.