The Joint DHS, FBI, HHS advisory on the malicious targeting of the US public health sector by criminals using ransomware should cause immediate tactical action by cyber defenders in the medical and healthcare community. It also signals the need for strategic actions by executives in these and other sectors.  It could also change the dynamic around how governments view these attacks with impactful targeting being designated as terrorist activity.

Background:

Brian Krebs provided a clear and early articulation of this threat in his KrebsOnSecurity blog, which we summarized in our OODA tech reporting:

Hospitals across the country have been put on high alert following a tip from a reliable source claiming that an aggressive Russian cybercriminal gang is planning on launching cyberattacks against medical care facilities. The FBI and the US Department of Homeland Security organized a conference call with healthcare industry executives to warn about the imminent threat. The Russian gang in question is known for deploying powerful ransomware called Ryuk. Krebs on Security received a tip from a cyber intelligence professional, stating that he observed online communications between members of the Ryuk ransomware group discussing plans to deploy a coordinated ransomware attack on more than 400 healthcare facilities.

However, the healthcare industry executives claim that the agencies offered few concrete details during the conference call on how these organizations can protect themselves from the campaign. The Ryuk gang often uses malware infrastructure unique to each victim to maximize the effects of the attack. Cybersecurity firm Mandiant released a list of domains and internet addresses used by Ryuk in previous attacks to aid the organizations in protecting their systems.

Reuters has initiated reporting on this as well, providing context on what the attacks look like for those on the receiving end:

A doctor at one hospital told Reuters that the facility was functioning on paper after an attack and unable to transfer patients because the nearest alternative was an hour away. The doctor declined to be named because staff were not authorized to speak with reporters.

“We can still watch vitals and getting imaging done, but all results are being communicated via paper only,” the doctor said. Staff could see historic records but not update those files.

Additionally, medical facilities in New York and Oregon are said to be dealing with ransomware attacks. Additionally, the largest hospital system in Vermont is investigating a potential cyberattack resulting in system outages.

What Executives Should Know:

To date, ransomware attackers had indicated that medical facilities were not going to be intentionally targeted due to the critical role they are playing in managing the current pandemic, but these recent attacks indicate a departure from that posturing.

Based upon our years of experience in cybersecurity we see this particular attack as crossing a threshold that has yet to be crossed. There have been ransomware attacks against hospitals and emergency rooms, but those were hardly targeted and did not hold the potential for widespread loss of healthcare services that these do.  It was only recently, that the first loss of life in a hospital was attributed to a ransomware attack in Germany.

If the US government does not respond swiftly and strongly to punish the attackers it will very likely be seen as accepted behavior by criminals. There are issues with this statement. One is how to identify who is really behind the attacks. As mentioned above, there are indications in open source reporting that these are attacks coordinated by criminal groups that operate in Russia and Eastern Europe (potentially a group known by Wizard Spider or UNC 1878).  But similar tools and techniques have been used in the past by DPRK.

The reporting by DHS provides more details including technical indicators and countermeasures:  Joint Cyber Alert – Ransomware Activity Targeting the Healthcare and Public Health Sector

We encourage all organizations who may be impacted by these attacks to share all their forensic information with the DHS via their sector ISAC, the information you share may contribute to an overall assessment.

If your organization is not a member of an ISAC/ISAO, now is the time to join. Small businesses can join for reduced rates that make joining an ISAC/ISAO an easy decision.  CTI League is a community-based cyberthreat intelligence group focused on preventing and responding to medical cyber attacks.  Cyber threat intelligence professionals looking to volunteer their services should join their Slack instance and organizations needing help can contact them through their website.  Our team at OODA is also available to help with medical facility assessment services and crisis response.