Threat Signal Report

Trickbot/Ryuk Campaign Targeting Healthcare and Public Health Sectors

Description

Today, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the Department of Human and Health Services (HHS) of the United States released a joint security advisory titled: Alert (AA20-302A) Ransomware Activity Targeting the Healthcare and Public Health Sector.


This alert provides insight on campaigns utilizing the malware families known as Trickbot and Ryuk. It highlights the tactics, techniques, and procedures (TTPs) used by the threat actors behind Ryuk against targets in the Healthcare and Public Health (HPH) sector. The threat actors are said to be targeting HPH sectors and using Trickbot to exfiltrate data, install ransomware and the continued disruption of healthcare services and infrastructure. The alert also provides technical details and descriptions, and suggested mitigation steps for this latest threat.


What are the Technical Details?

Trickbot

Originally a banking Trojan, the Trickbot malware has essentially morphed into one of the biggest threats of recent memory. Essentially modular, Trickbot can perform multiple functions, such as:


  • Gathering information about victim environments
  • Interception of browser data
  • Injection into banking website forms to exfiltrate data
  • Performing lateral movement
  • Stealing Outlook credentials
  • Brute forcing SMB using known vulnerabillties (EternalBlue/EternalRomance)
  • Launching of brute force attacks on RDP

And much more.


The alert highlights a module observed by the FBI called anchor_dns, which allows for communication to the command and control server using DNS tunneling. This method allows the attackers to bypass and evade traditional endpoint detections by using DNS to communicate directly with the C2 servers. According to the alert, anchor_dns uses a single-byte XOR cipher to encrypt its communications, which have been observed using key 0xB9. Once decrypted, the string anchor_dns can be found in the DNS request traffic headers. Other details in this alert contain IOC's for Trickbot, which can be found in the APPENDIX section.


For further details about Trickbot, and recently observed campaigns by FortiGuard Labs, please view our blog:

New Variant of Trickbot Being Spread by Word Document


Ryuk

First discovered in mid-2018, Ryuk came to the attention of victims and threat analysts alike due to the way attacks came out of the blue and at times by surprise. Usually, ransomware is installed on a single machine due to a victim opening up a malicious attachment or downloading files of unknown origin. What made Ryuk a big surprise for forensics analysts and victim organizations was that attacks seemingly appeared to come out of nowhere.


The typical modus operandi of the attackers behind Ryuk was to exploit known SMB vulnerabilities or brute force RDP connections and then to "live off the land." That term refers to using commonly available system tools that are already preinstalled on a machine to move laterally within a victim network so as not to cause a SIEM or endpoint to red flag potentially suspicious activity by a threat actor.


After various requirements were satisfied, the attackers would then strike out of the blue and leave an organization's IT staff puzzled as to how they were compromised. The fact that there was no specific time frame or apparent evidence leading up to when the attack was executed only added to the confusion. It would come down to when the attackers felt it was the right time to launch an attack. There was no preset time frame. Ryuk has also in the past seen to be distributed by notorious malware families such as Trickbot and Emotet.


Most recent observed attack methods discovered by CISA have shown that the actors are currently using spearphishing attacks to get onto a network, and then utilizing the latest Windows Zerologon vulnerability (CVE-2020-1472) which shortens the attack time frame from weeks/months down to hours. For more detail on this, please refer to our latest threat signal:

Ryuk Threat Actors Exploiting Windows Zerologon Vulnerability (CVE-2020-1472)


For further details about Ryuk, and recently observed campaigns by FortiGuard Labs, please view our blog:

Ryuk Revisited - Analysis of Recent Ryuk Attack


Who is Behind Ryuk?

There are conflicting reports in the security community of whether Ryuk is of North Korean or Russian origin. FortiGuard Labs does not have any attribution for the threat actors behind the Ryuk campaign at this time.


What Operating Systems are Affected?

Windows based operating systems.


What is the Severity of Impact?

HIGH. This is because multiple institutions and verticals, especially the healthcare and critical care sectors, are vulnerable and can easily be disrupted by this ransomware attack. Not only can organizations in this vertical experience downtime, there is the likelihood of disruption of either routine services, patient monitoring (vitals), the operation of surgical and life saving machines, and under the most unfortunate circumstances; death.


Any Suggested Mitigation?

FortiGuard Labs recommends that all AV and IPS definitions are kept up to date on a continual basis, and that organizations maintain a proactive patching routine when vendor updates are available. FortiGuard Labs also recommends deploying Endpoint Detection and Response (EDR) technology such as FortiEDR to detect and block this evasive ransomware attack. Because FortiEDR technology identifies malicious activities that occur on an endpoint it can spot these attacks and automatically take corrective actions. In addition, the technology will collect detailed information on the malware enabling you to conduct your forensic investigation in a timely and accurate manner.


Regarding known vulnerabilities, it is imperative to maintain an up to date patching routine. To ensure that highly exposed/vulnerable devices and machines are not susceptible to attacks, one must follow vendor mitigation and suggestions if a patch is not available. If this is not feasible, it is suggested that an audit of externally exposed network devices is performed to determine risk and to determine additional mitigation safeguards within an environment.


In the meantime, organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spearphishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization are made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organization's internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network.


What is the status of AV and IPS coverage?

Samples for this alert were not provided by CISA. Regarding general Ryuk and Trickbot detections, related to the IOCs mentioned in this alert, FortiGuard Labs has AV coverage in place for these as:

MSIL/Small.CCP!tr.dldr

W32/Agent.AARN!tr

W32/Agent.EQH!tr.dldr

W32/Agent.UEO!tr

W32/Agent.UGT!tr

W32/GenCBL.CF!tr

W32/Generic.AC.43ADC8!tr

W32/Generic.AP.1470F6C!tr

W32/Generic.AP.2C9B42!tr

W32/GenKryptik.APXF!tr

W32/GenKryptik.CRPN!tr

W32/GenKryptik.CTZK!tr

W32/GenKryptik.CYZG!tr.ransom

W32/GenKryptik.CZFD!tr

W32/GenKryptik.DMIY!tr

W32/Gozi.GET!tr

W32/Injector.EETM!tr

W32/Jeefo.A

W32/Kryptik.CEI!tr

W32/Kryptik.FHSF!tr

W32/Kryptik.FVZV!tr

W32/Kryptik.FYKK!tr

W32/Kryptik.GKJF!tr

W32/Kryptik.GLHM!tr

W32/Kryptik.GNMF!tr

W32/Kryptik.GOBG!tr

W32/Kryptik.GQEV!tr

W32/Kryptik.GQYV!tr

W32/Kryptik.GUAZ!tr

W32/Kryptik.GVAG!tr

W32/Kryptik.GZXE!tr

W32/Kryptik.HBIP!tr

W32/Kryptik.HCSD!tr

W32/Kryptik.HCYH!tr

W32/Kryptik.HFEQ!tr

W32/Kryptik.OCB!tr

W32/Kryptik.YHT!tr

W32/Matrix.2FFD!tr.ransom

W32/Neshta.A

W32/TrickBot.DF!tr

W32/TrickBot.QOSD!tr

W32/Wauchos.CY!tr

W32/Zurgop.DA!tr

W64/Agent.35F2!tr

W64/Agent.84B2!tr

W64/Agent.DB7B!tr

W64/Agent.IY!tr

W64/Agent.XZ!tr

W64/GenCBL.BH!tr

W64/GenCBL.CF!tr

W64/GenKryptik.ERED!tr

W64/GenKryptik.ETPT!tr

W64/Kryptik.BZW!tr

W64/Kryptik.CBB!tr

W64/Kryptik.CCG!tr


A list of all FortiGuard Labs related signatures for Ryuk can be found here.

A list of all FortiGuard Labs related signatures for Trickbot can be found here.


All network IOCs mentioned in this report are blocked by the WebFiltering client.


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.