Ryuk Ransomware Cripples US Hospitals — Crosses the Line

The latest victims of Ryuk struggle with an insane choice: pay crippling ransom payments or try to save COVID-19 patients without IT systems…

From its origination in 2018 Ryuk ransomware has pushed the limits of cyber criminality on two fronts – technical and amoral. They immediately began to evolve the rules of the game by not only ransoming systems but also threatening to publish their private data. This soft tactic combined with technical innovations of Ryuk code to achieve unprecedented levels of financial gain. Victims organizations have paid ransom after ransom; the requested sums have only increased: from $5,000 in 2018 to $200,000 in 2020 (Wired, “Ransomware Hits Dozens of Hospitals in an Unprecedented Wave”).

Unsatisfied, REvil and Maze continued to develop their codebase against larger, more vulnerable targets. Over the course of a few months they began to target municipal governments and systems including New Orleans, Florida Library System, and countless small townships across the United States.

US Government Asked to Protect Businesses from Cybercrime

“There is a moral line that every person, just as a human being, recognizes exists…”

-Charles Carmakal, Senior vice president and chief technical officer, Mandiant

Even in light of this history we could not have anticipated their most recent step. Ransoming hospitals and even large hospital networks like Universal Health Services shatters the “code of conduct” in what is the darkest and most disturbing threat so far to national security.

US Cybersecurity and Infrastructure Agency (CISA), Federal Bureau of Investigation (FBI), and Department of Human Health and Human Services (HHS) published a joint cybersecurity advisory to brief the healthcare industry on the technical features, applications, and tactics employed by these attacks.

The organizations responsible have crossed the threshold into direct endangerment of sick hospital patients during a global pandemic. That they could endanger thousands of patients is reason for extreme caution; that they would should provoke a response.

Normally when a threat evolves security analysts weigh in on the appropriate countermeasures that organizations and individuals can and should take to protect themselves. But this time the tone of the response has been different.

Interviewed for Wired Magazine, Charles Carmakal, senior vice president and chief technical officer of Mandiant said, “This is to me the most significant cyber threat that we’ve experienced in the US to date. There is a moral line that every person, just as a human being, recognizes exists… So there’s a very clear crossing of the line by this threat actor. This group is incredibly brazen, heartless, relentless… We have to create awareness of this problem.”

Part of the reason for this change in tone comes from frustration that a cybercriminal organization could do so much damage while enjoying the relative sanctuary of a foreign country. Private analysts have long suspected that the group responsible for Ryuk and these attacks is tied to a Russian group, called UNC 1878 or Wizard Spider. No plans have been made public regarding the persecution of international cybercriminals.

US businesses are currently on their own to implement the necessary security measures to defend priority IT assets.  Achieving a secure business network does take some work, but it is almost always achievable.

Mitigating the Ransomware Threat on a Social and Private Level

Ryuk has been deployed successfully against governments, public school systems, and hospitals, so what preventative measures can your organization take?

The Joint Cybersecurity Advisory “Ransomware Activity Targeting the Healthcare and Public Health Sector” recommends both Network and Ransomware Best Practices. These include many general practices that can benefit all organizations, in addition to some more targeted to healthcare, as well as extensive technical briefing on Ryuk.

Platte River Networks is monitoring this threat, and we recognize that most businesses do not have the time to respond to this and other security threats without help. We maintain an updated Ransomware Protection Assessment that is designed for small and mid-sized organizations of all types.

Platte River Networks Intuition+ Security adopts all of the practices covered by our assessment to defend against Ryuk and similar threats. Our security grid has a 100% win rate after almost 20 years of service.

Please email david@platteriver.com for more information on cybersecurity.