In a joint statement, the FBI and CISA are warning the healthcare industry that threat actors utilizing Ryuk Ransomware are actively targeting hospitals and healthcare providers. This announcement follows a recent attribution announcement of attacks made against the healthcare industry by UNC1878 according to FireEye/Mandiant as reported by BleepingComputer. In recent months, BazaLoader has been utilized with the initial phishing campaigns and loading of BazarBackdoor, giving the threat actors the access they need to deploy Cobalt Strike beacon, escalate privileges to administrator, and eventually deploy Ryuk across the enterprise.
The rapid movement of these operators allows little time for defenders to respond after BazaLoader has been discovered. It should be noted that in the joint government announcement, TTPs for Trickbot and Ryuk are mentioned but in light of recent activity according to FireEye/Mandiant, there is a high likelihood that BazaLoader will be used.