A joint advisory from various U.S. government agencies is warning that hospitals and healthcare providers are actively being targeted by ransomware attacks and that there’s an imminent threat of further attacks.

The advisory, issued Wednesday by the U.S. Federal Bureau of Investigation, the Department of Health and Human Services and the Department of Homeland Security Cybersecurity & Infrastructure Security Agency details the tactics, techniques and procedures used by cybercriminals in the healthcare sector in infect systems with ransomware.

Named in the advisory are several forms of ransomware: Ryuk and Conti along with TrickBot and BazarLoader, two forms of malware that are used to gain access to a targeted system to deploy ransomware.

Ryuk is well-known and was linked to a Russian crime syndicate in 2019 after previously being thought to be the work of the North Korean government. Ryuk has been used in previous attacks, including the U.S. Coast Guard in January and the city of Durham, North Carolina, in early March. A report published March 29 noted that Ryuk was targeting hospitals and other medical providers as the coronavirus pandemic continued to spread. Now, Ryuk attacks have continued to increase.

That TrickBot is said in the advisory to be being used to distribute Ryuk is no great surprise. Media reports Oct. 12 claimed that Microsoft Corp. had “taken down” TrickBut, but as noted at the time, Microsoft only said it had disrupted the bot. The involvement of the FBI, CISA and the DHHS indicates that Microsoft’s targeting, while well-intentioned, was nothing more than a speed bump to those behind the bot.

The advisory goes through various technical aspects of the campaigns against health care providers but does not name victims. According to Bleeping Computer, recent Ryuk victims include the Wyckoff Heights Medical Center in Brooklyn and the University of Vermont Health Network. Reuters describes recent attacks as targeting hospitals in Oregon, California and New York.

“We find the potential for ransomware attacks against hospitals, as reported by CISA, during this time of crisis unconscionable,” Jeff Costlow, chief information security officer at enterprise cyber analytics company ExtraHop Networks Inc., told SiliconANGLE. “We suspect that the recent Zerologon vulnerability is a factor and any hospital that has not patched their systems is at risk.”

Kevin Breen, director of cyber threat research at on-demand cyber skills platform provider Immersive Labs, noted that with hospitals bearing the brunt of COVID-19, “the timing of this campaign is about as cynical and malicious as it gets.”

“Attackers are getting more brazen with ransomware attacks, seemingly caring less about grinding operations to a halt in critical industries,” Breen said. “Faced with such threats, incident response teams must ensure they react quickly, efficiently and intelligently. Normally this is to save share price and reputation, but in this case, it could actually save lives.”

Peter Mackenzie, incident response manager at security firm Sophos Group plc’s Rapid Response division, said hospitals are not really affected more than other industries. But Jeff Horne, chief security officer at security platform provider Ordr Inc., said the attacks are coming at the worst possible time, as the pandemic worsens.

“The first line of defense here is educating hospital employees to ensure they can recognize phishing attempts and respond properly,” he said. “The main thing that I urge every organization to do is to patch vulnerabilities quickly and to build a robust backup strategy for data in order to diminish the harm that ransomware can do.”

Photo: Unsplash