FBI warns of Ryuk ransomware attack on hospitals, healthcare providers
Updated: Feb 7
Hospitals and healthcare providers should review the cybersecurity advisory and recommendations for mitigation
Multiple federal agencies issued a public cybersecurity advisory yesterday about an imminent ransomware attack against the healthcare and public health sector this weekend. The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) have credible information suggesting an Eastern European threat group plans to launch a widespread Ryuk ransomware attack.
CISA, the FBI, and HHS have issued a joint cybersecurity advisory describing the tactics, techniques, and procedures (TTPs) used by cybercriminals to infect systems with Ryuk ransomware. Ryuk is typically activated after a precursor form of malware (like Trickbot) is on a computer system, and that malware drops in the encryption malware. Mandiant Threat Intelligence has posted an excellent article describing the precursor email campaigns that lead to post-compromise deployment of ransomware and has posted IOCs associated with the threat actors believed to be responsible for this current threat.
CISA, the FBI, and HHS have recommended that hospitals and healthcare systems implement the following measures as soon as possible:
Establish and practice out of band, non VoIP, communications
Rehearse IT lockdown protocol and process, including practicing backups
Ensure backup of medical records, including electronic records, and have a 321-backup strategy – have hard copy or remote backup or both
Expedite patching response plan within 24 hours
Prepare to maintain continuity of operations if attacked
Review plans within the next 24 hours should you be hit
Check that your anti-virus and endpoint detection and response (EDR) are running; a stopped state may indicate compromise
Power down IT where not used
Consider limiting use of personal email
Be prepared to reroute patients
Ensure proper staffing for continuity
Know how to contact federal authorities when phones are down, or email has been wiped
Consider limiting/powering down non-essential internet facing IT services
Limit personal email services
Be prepared to re-route patients if patient care is disrupted due to IT outage
Ensure sufficient staffing to maintain continuity of operations with disrupted IT networks
Report all potentially related cyber incidents to the FBI 24/7 CyberWatch Command Center at 855-292-3937
The full Cybersecurity Advisory provides technical details, indicators of compromise (IOCs) for Trickbot, Ryuk attack techniques under the MITRE ATT&CK framework, and significantly more detail about mitigation.
You should download the full Cybersecurity Advisory and discuss it with your IT team or IT provider as soon as possible.