/nov 19, 2020

Healthcare Orgs: What You Need to Know About TrickBot and Ryuk

By Meaghan Mcbee

In late October, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) co-authored an advisory report on the latest tactics used by cybercriminals to target the Healthcare and Public Health (HPH) sector. In the report, CISA, FBI, and HHS noted the discovery of, “…credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers,” which they shared as a warning of potential ransomware attacks.

In the report, the agencies found that threat actors are targeting the HPH Sector using TrickBot and BazarLoader malware efforts, which can result in the disruption of healthcare services, the initiation of ransomware attacks, and the theft of sensitive data. As noted in the advisory, these security issues are even more difficult to handle and remediate during the COVID-19 pandemic; something healthcare providers should take that into consideration when determining how much to invest in their cybersecurity efforts. 

The FBI first began tracking TrickBot modules in early 2019 as it was used by cyberattackers to go after large corporations. According to the report, “…TrickBot now provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. These activities include credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and the deployment of ransomware, such as Ryuk and Conti.”

What makes it so dangerous? Researchers found that TrickBot developers created a tool called anchor_dns which uses a single-byte X0R cipher to obfuscate communications and, once de-obfuscated, is discoverable in DNS request traffic. When the malware is successfully executed, TrickBot is copied as an executable file and the copy is placed into one of the following directories:

  • C:\Windows\
  • C:\Windows\SysWOW64\
  • C:\Users\[Username]\AppData\Roaming\

From there, the executable file downloads modules from command and control servers (C2s) and places them into the host’s %APPDATA% or %PROGRAMDATA% directory. Every 15 minutes, the malware runs scheduled tasks on the victim’s machine for persistence, and after successful execution, anchor_dns deploys more malicious .bat scripts and implements self-deletion techniques through commands. The report notes that an open source tracker for TrickBot C2 servers is located here.

BazarLoader and Ryuk ransomware

CISA, FBI, and HHS note in the advisory report that around early 2020, threat actors believed to be associated with TrickBot began executing BazarLoader and BazarBackdoor attacks to infect targeted networks.

“The loader and backdoor work closely together to achieve infection and communicate with the same C2 infrastructure,” the report says. “Campaigns using Bazar represent a new technique for cybercriminals to infect and monetize networks and have increasingly led to the deployment of ransomware, including Ryuk. BazarLoader has become one of the most commonly used vectors for ransomware deployment.”

BazarLoader malware usually comes from phishing emails, the advisory says, with a link to a Google Drive document or another file hosting service housing what looks like a PDF file but is really an executable. The emails often appear personal with recipient or employer names in the subject line and body – as phishing attempts often do to gain trust. Once clicked, the infected links allow threat actors to install BazarLoader and disrupt service or steal data.

Ryuk, which first made a splash in 2018 as an offshoot of Hermes 2.1 ransomware, is often deployed as a payload from banking Trojans like TrickBot, according to the advisory. Ryuk is particularly dangerous to healthcare organizations because it provides attackers the opportunity to read, write, and execute permissions. Because it’s so powerful, cyberattackers utilizing Ryuk often try to limit suspicious activity by using native tools that allow them to move laterally within the network and remain undetected.

Once Ryuk has infiltrated a system it uses AES-256 to encrypt files as well an RSA public key to encrypt the AES key, and it also drops a .bat file to delete backup files and prevent recovery. Victims can access the RyukReadMe file for instructions on how to contact the threat actor via email, through which they are given a specific amount of money to send to a Bitcoin wallet for ransom.

Protecting your sensitive data

So, what are the steps that you can take to defend yourself against issues like TrickBot attacks? In their report, CISA, FBI, and HHS researchers encourage healthcare organizations to find continuity gaps in their business, especially when it comes to capability around handling emergencies like cyberattacks. They suggest that organizations review or establish patching plans, user agreements, and security policies to address current cybersecurity threats and make a plan for remediation.

In addition, healthcare organizations handle sensitive, confidential data every single day, increasingly digitally, and should ensure that data is protected with a comprehensive application security program. We know from the latest State of Software Security report that 76 percent of applications have at least one flaw in the latest scan run by Veracode customers and that it takes an average of 180 days to close 50 percent of discovered flaws. In the realm of healthcare where the data housed by applications is extremely sensitive, that’s simply too long.

“Blended attacks are now the norm. Social engineering and phishing are combined with the exploitation of both known and application vulnerabilities until the attack gets the high-value data they are looking for”, says Chris Wysopal, Veracode founder and CTO.

Learn more about what healthcare organizations should know about application security and keep up to date with application security news by subscribing to our content.

Related Posts

By Meaghan Mcbee

Meaghan McBee is a Senior Content Marketing Manager at Veracode, responsible for creating content around best practices in application security and the current state of DevSecOps.