Bulletin on Recent Ransomware and Extortion Attacks on Healthcare Organizations

Summary

The U.S. Cybersecurity & Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and Department of Health & Human Services (HHS) issued a joint alert October 28 that they had “credible information” of an “increased and imminent” cybercrime threat to U.S. hospitals and healthcare providers.¹ In the last week, at least six U.S. hospitals have been hit by Ryuk ransomware within 24 hours by the cyber criminals behind Trickbot and Ryuk.² Separate reporting indicates that healthcare organizations in Oregon, upstate New York, Minnesota, and Vermont have been infected.³

These trends require priority attention across all functions with security-related responsibilities. By better understanding these events and their risk implications, our clients and partners can more effectively manage ransomware risk and apply appropriate safeguards.

Why this is important

The DHS warning comes on the heels of a number of recent attacks, inside the United States and internationally, against healthcare providers.

• Potential spread. Reports indicate plans by attackers to deploy ransomware to more than 400 healthcare facilities across the United States.⁴
• Speed of Deployment. While ransomware campaigns sometimes involve “low and slow” tradecraft to discover, target (and in some cases exfiltrate data from) key systems, these attacks can also move quickly. On October 29 Managed Security Service Provider Red Canary reported a threat campaign with tradecraft similar to that described in the CISA/FBI/HHS alert, indicating that the elapsed time between when a user first opened a malicious PDF file and when attackers had effectively completed discovery activities across the organization’s network was approximately 53 minutes.⁵ Mandiant reported seeing deployment of ransomware within 24 hours of initial compromise.⁶
• Impact. Ransomware deployments in healthcare organizations can have deadly consequences. In September 2020, German authorities reported the first known death of a patient as a result of a ransomware attack.⁷ When Duesseldorf University Hospital was mistakenly hit as part of a ransomware attack on the University itself, the hospital had to turn away a patient to a hospital 20 miles away. She reportedly died because she was unable to receive timely treatment.
• Additional forms of extortion: release of exfiltrated patient records. Finnish authorities are currently investigating the exfiltration of large quantities of patient mental health records from Finnish psychotherapy provider Vastaamo. According to Finnish authorities, while the original breach occurred in 2018, Vastaamo received an initial extortion demand in September 2020, and certain customer information was released via the dark web in October, with individual patients also receiving extortion demands. During negotiations, when confronted with the possibility of patient suicide, the attacker has stated that he “doesn’t care”, and went as far as contacting individual victims with smaller ransom demands.⁸

Why this is important now

• Targeting of healthcare entities during COVID-19 pandemic. The United States is experiencing major increases in the number of reported COVID-19 cases and hospitalizations. The Johns Hopkins Coronavirus Resource Center reported 88,521 new cases as of October 30, 2020,⁹ and 46,905 patients are hospitalized “ up from approximately thirty thousand at the beginning of October. ¹⁰ Attackers appear to be capitalizing on the urgency facing the healthcare community during coronavirus pandemic by activating ransomware deployments.

Technical response: immediate actions to detect/prevent/recover from these attacks

• Technical guidance resources. Reports from multiple public and commercial sector sources “ including CISA,¹¹ Red Canary,¹² FireEye,¹³ The DFIR Report,¹⁴ Kroll,¹⁵ Cybereason,¹⁶ CrowdStrike¹⁷ and countless independent researchers^{18 19}“ are tracking these attacks. These resources provide valuable tactical mitigations and detection analytics for organizations to employ in attempting to thwart the current campaign.
• Validating control effectiveness. As part of healthcare organizations’ ongoing improvements to security operations, controls effectiveness should continue to be a top priority. The detection analytics and IOCs referenced above work only as well as they have been tailored to individual organizations and tested for effectiveness.

National response considerations

When taken in the context of the COVID-19 pandemic, current ransomware campaigns can reasonably be expected to result in incapacitation of systems that would have a debilitating impact on national public health and safety.²⁰ In these circumstances, we need to look beyond traditional response options like countermeasure guidance to potential victims and post-hoc law enforcement investigations, and consider invoking authorities and capabilities that can deter and disrupt current healthcare-oriented ransomware campaigns now.

U.S. Department of Defense (DoD) Joint Doctrine is already in place to address such contingencies: JP 3-12 dictates the use of what are known as Defensive Cyberspace Operations-Response Actions (DCO-RA), wherein, “When required under a specific authorizing order, and in full coordination with DHS and other USG departments and agencies, DOD cyberspace forces undertake DCO-RA and DCO-IDM missions to defend these and other non-DOD cyberspace segments, like national CI/KR or partner networks.”²¹

While this authority provides a doctrinal avenue of action for U.S. Cyber Mission Forces (CMF), in practical terms, to our knowledge, this avenue has rarely if ever been exercised. The communications channels and partnerships required between organizations deemed as critical infrastructure and the National Mission Teams (NMT) (the arm of the CMF responsible for DCO-RA), if they have been established, have only been done with very few organizations.

With the appropriate relationships in place with healthcare organizations, NMTs would be in a position to execute their DCO-RA missions and provide an effective deterrent from allowing these criminal organizations from growing bolder than they already have.²²

The Chertoff Group has deep experience helping organizations of all sizes rapidly implement threat and risk-informed cyber defenses. Contact info@chertoffgroup.com for more information.

—

¹ https://us-cert.cisa.gov/ncas/alerts/aa20-302a.
² https://www.washingtonpost.com/national-security/hospitals-being-hit-in-coordinated-targeted-ransomware-attack-from-russian-speaking-criminals/2020/10/28/e6e48c38-196e-11eb-befb-8864259bd2d8_story.html
³ Id.
⁴ https://krebsonsecurity.com/2020/10/fbi-dhs-hhs-warn-of-imminent-credible-ransomware-threat-against-u-s-hospitals/
⁵ https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
⁶ https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
⁷ https://www.nytimes.com/2020/09/18/world/europe/cyber-attack-germany-ransomeware-death.html
⁸ See https://www.poliisi.fi/about_the_police/press_releases/1/0/nbi_to_continue_criminal_investigation_into_exceptionally_large-scale_hacking_of_psychotherapy_customer_files_94237 and https://hotforsecurity.bitdefender.com/blog/vastamo-hacker-says-he-doesnt-care-if-therapy-leaks-drive-patients-to-suicide-24408.html
⁹ https://coronavirus.jhu.edu/
¹⁰ https://covidtracking.com/data/national/hospitalization
¹¹ https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf
¹² https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
¹³ https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
¹⁴ https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
¹⁵ https://www.kroll.com/en/services/cyber-risk/assessments-testing/ransomware-preparedness-assessment
¹⁶ https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles
¹⁷ https://www.crowdstrike.com/blog/wizard-spider-adversary-update/
¹⁸ https://twitter.com/sixdub/status/1321979928389275654
¹⁹ https://pastebin.com/UQs0JtKY Joe Slowik’s Suspected Ryuk Domains
²⁰ Critical infrastructure is defined as those œsystems and assets ¦ so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. See https://www.cisa.gov/sites/default/files/publications/Guide-Critical-Infrastructure-Security-Resilience-110819-508v2.pdf.
²¹ https://www.jcs.mil/Portals/36/Documents/Doctrine/pubs/jp3_12.pdf Chapter II-4
²² This same model should “ if not already in place “ be extended to other critical infrastructure sectors “ e.g., election systems, finance, power, water, transportation, telecommunications, etc.