Ransomware Activity Targeting the Healthcare and Public Health Sector (AA20-302A)

During COVID 19 pandemic, cybersecurity attacks related news have been followed more after COVID news. We have seen cyber criminals have responded to the crisis in different ways. Across the globe, we have seen a sudden rise in ransomware attacks. Some attackers took advantage of the global health crisis to coax people into opening malicious emails and attachments.

Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.

From the analysis, they found that malicious cyber actors are targeting the Healthcare and Public Health (HPH) sector with Trickbot malware. This malware often leads to ransomware attacks, data theft and the disruption of healthcare services.

Hence, on 28^th Oct 20, above mentioned organizations released AA20-302A advisory describing the tactics, techniques and procedures used by the cybercriminals against targets in the HPH to infect systems with Ryuk ransomware.

Typically Ryuk (which is a derivative of HERMES 2.1 ransomware) has been deployed as a payload from banking Trojans such as Trickbot. Ryuk actors will commonly use commercial off-the-shelf products—such as Cobalt Strike and PowerShell Empire—in order to steal credentials.

Since the inception of Ryuk ransomware, market has observed 90% rise in the ransom amount. On an average each Ryuk ransomware attack costs roughly around $286,556. Ryuk uses mainly Email phishing and RDP attack vectors.

In early 2019, the FBI began to observe new Trickbot modules named Anchor, which cyber actors typically used to exfiltrate data from networks and point-of-sale devices.

As part of new Anchor toolset, Trickbot developers created Anchor_DNS, a tool for sending and receiving data from victim machines using DNS tunnelling.

Anchor_DNS is a backdoor that allows victim machines to communicate with command and control (C2) servers over DNS to evade typical network defense products and make their malicious communications blend in with legitimate DNS traffic. Anchor_DNS uses a single-byte XOR cipher to encrypt its communications, which have been observed using key 0xB9. Once decrypted, the string Anchor_DNS can be found in the DNS request traffic.

Trickbot Indicators of Compromise

1. Files:

Trickbot creates following files

• Trickbot copies itself as an executable file with a 12- character (includes .exe), randomly generated file name (e.g. mfjdieks.exe)
• Sometimes you may find a file named ‘anchorDiag.txt’

Look for the presence of above files in one of the following directories.

• C:\Windows\
• C:\Windows\SysWOW64\
• C:\Users\[Username]\AppData\Roaming\

2. In memory dump:

The malware uses an infection marker of ‘Global\fde345tyhoVGYHUJKIOuy’, typically found in the running memory of the victim machine, before it starts communicating with C2 server.

3.  Scheduled Tasks:

Creates a scheduled tasks which typically uses following naming convention:

[random_folder_name_in_%APPDATA%_excluding_Microsoft] autoupdate#[5_random_numbers] (e.g., Task autoupdate#16876)

This scheduled task runs every 15 minutes to ensure persistence on the victim machine

4. Look for recently created .bat files:

After successful execution, Anchor_DNS further deploys malicious batch scripts (.bat) using PowerShell commands.

5. Look into logs for execution of the following commands:

The malware deploys self-deletion techniques by executing the following commands.

• exe /c timeout 3 && del C:\Users\[username]\[malware_sample]
• exe /C PowerShell \”Start-Sleep 3; Remove-Item C:\Users\ [username]\ [malware_ sample_location]\”

6. Look into logs for the following DNS:

The following domains found in outbound DNS records are associated with Anchor_DNS

kos tunivo[.]com

chishir[.]com

mangoclone[.]com

onixcellent[.]com

This malware used the following legitimate domains to test internet connectivity.

ipecho[.]net

api[.]ipify[.]org

checkip[.]amazonaws[.]com

ip[.]anysrc[.]net

wtfismyip[.]com

ipinfo[.]io

icanhazip[.]com

myexternalip[.]com

The Anchor_DNS malware historically used the following C2 servers.

23[.]95[.]97[.]59

51[.]254[.]25[.]115

193[.]183[.]98[.]66

91[.]217[.]137[.]37

87[.]98[.]175[.]85

The following information is shared with C2 server as part of initial communication:

• Victim machine’s computer name/hostname
• operating system version
• build via a base64-encoded GUID.

The GUID is composed of /GroupID/ClientID/ with the following naming convention: /anchor_dns/[COMPUTERNAME]_[WindowsVersionBuildNo].[32CharacterString]/.

Modus Operandi:

1. After successful execution, Ryuk actors use native tools like net view, net computers, and ping—to locate mapped network shares, domain controllers, and active directory.
2. It will quickly map the network in order to enumerate the environment to understand the scope of the infection.
3. Uses of native tools help to limit suspicious activity and possible detection.
4. For lateral movement, it uses native tools like PowerShell, Windows Management Instrumentation (WMI), Windows Remote Management , and Remote Desktop Protocol (RDP). Sometimes it may use third part tool like Bloodhound.
5. Once dropped, Ryuk uses AES-256 to encrypt files and an RSA public key to encrypt the AES key.
6. The Ryuk dropper drops a .bat file that attempts to delete all backup files and Volume Shadow Copies (automatic backup snapshots made by Windows), preventing the victim from recovering encrypted files without the decryption program.
7. In addition, the attackers will attempt to shut down or uninstall security applications on the victim systems that might prevent the ransomware from executing. Normally this is done via a script, but if that fails, the attackers are capable of manually removing the applications that could stop the attack.
8. The RyukReadMe file placed on the system after encryption provides either one or two email addresses, using the end-to-end encrypted email provider Protonmail, through which the victim can contact the attacker(s).

For more details, kindly read the advisory AA20-302A

Mitigations:

CISA, FBI and HHS do not recommend paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.

      Plans and Policies:

1. Organizations should review or establish patching plans, security policies, user agreements, and business continuity plans to ensure they address current threats posed by malicious cyber actors. Business continuity plans are the practice of executing essential functions through emergencies (e.g., cyberattacks)—to minimize service interruptions.
2. Organizations as well as individuals should regularly back up data, air gap, and password protect backup copies offline.
3. Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.
4. Document Incident response plan and establish Incident Response team. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently.

     Network Best Practices:

1. Patch operating systems, software, and firmware as soon as manufacturers release updates.
2. Check configurations for every operating system version for HPH organization-owned assets to prevent issues from arising that local users are unable to fix due to having local administration disabled.
3. Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.
4. Use multi-factor authentication where possible.
5. Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
6. Implement application and remote access allow listing to only allow systems to execute programs known and permitted by the established security policy.
7. Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
8. Audit logs to ensure new accounts are legitimate.
9. Scan for open or listening ports and mediate those that are not needed.
10. Identify critical assets; create backups of these systems and house the backups offline from the network.
11. Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.
12. Set antivirus and anti-malware solutions to automatically update; conduct regular scans.

    User Awareness Best Practices

1. Focus on awareness and training. Because end users are targeted, make employees and stakeholders aware of the threats—such as ransomware and phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.
2. Ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently.

Recommended Mitigation measures:

System administrators who have indicators of a Trickbot network compromise should immediately take steps to back up and secure sensitive or proprietary data. Trickbot infections may be indicators of an imminent ransomware attack; system administrators should take steps to secure network devices accordingly. Upon evidence of a Trickbot infection, review DNS logs and use the XOR key of 0xB9 to decode XOR encoded DNS requests to reveal the presence of Anchor_DNS, and maintain and provide relevant logs.