Unpacking Ryuk Ransomware’s Threat to Healthcare
What Is Ryuk Ransomware?
Ryuk is a self-replicating ransomware that targets the most vulnerable institutions, like healthcare organizations, who are most likely to pay a ransom. It's a sophisticated ransomware that emerged in 2018. Most Ryuk ransomware attacks are carried out by a Russian-based hacking group known as GRIM SPIDER, a sub-group of the criminal hacking enterprise, WIZARD SPIDER.
Ryuk is often distributed through TrickBot or via a Trojan infection. TrickBot is a Trojan designed to target financial institutions and exfiltrate personally identifiable information (PII), financial data, and account credentials.
Once the malware successfully penetrates a device on the network, it exploits an SMB vulnerability (e.g. EternalBlue) to spread laterally across the network. From there, Ryuk can steal data, block access to data, and even block access to devices themselves. The threat actors carrying out the attack can continue to block access until a ransom is paid.
Ryuk Ransomware and the Threat to Healthcare
Ryuk ransomware poses a critical threat to any organization it infects, but its threat to healthcare is even more severe.
If it successfully infects a hospital network, it can prevent healthcare professionals from accessing patient records and slow down their ability to assess patients’ status, effectively slowing down critical and life-saving treatments. It can also block access to medical devices, effectively shutting down medical services and disrupting clinical workflows across the entire hospital system.
Ryuk’s Track Record Against Healthcare Organizations
Ryuk has become infamous for targeted attacks on healthcare organizations and attacks have spiked during COVID. In fact, one-third of all ransomware attacks in 2020 were carried out by Ryuk. By the end of the year, Ryuk threat actors had collected more than $150 million in ransom from US hospitals in the form of Bitcoins.
Ryuk was confirmed to be the culprit behind multiple attacks on healthcare organizations worldwide, including those on United Health Services (UHS), Dusseldorf University Hospital in Germany, France University Hospital Center, the University of Vermont Health Network, and others.
From the moment Ryuk ransomware successfully infects a device, it can spread across an entire network in as few as five hours, and infect connected devices across the clinical ecosystem, including VoIP phones, lab systems, EKGs, radiology devices, and any other devices running Windows OS.
Medical Devices and Cybersecurity
Securing clinical environments is harder and more complicated than it is for others because:
- Many connected medical and IoT devices are old and run legacy OS/firmware that aren’t supported at all. This means there aren’t any patches available, making them even more vulnerable to cyber threats than other connected devices.
This challenge is particularly pertinent when it comes to ransomware because many ransomware infections exploit vulnerabilities in unsupported libraries built into unsupported OS/firmware that even manufacturers are unaware of, e.g.:
- TCP/IP stacks like Bad Neighbor, Ripple20, NAME:WRECK, and AMNESIA:33
- DNS caching software like DNSpooq
- It’s difficult to replace many old medical devices because they’re extremely expensive (e.g. MRI and CT machines).
- Even if medical devices are still supported and have available patches, you can’t update them if they’re connected to a patient. Finding a time to update the device, when it’s safe to shut down and restart as required by standard updates, is difficult if the healthcare organization doesn’t have extra devices in the inventory to support patient demand.
- Because so many medical and IoT devices are unsupported, many times, the only way left to secure clinical environments is to segment the healthcare organizations’ network, which can be its own challenge to tackle.
Best-Practice Cybersecurity in Healthcare Can Help Mitigate the Ryuk Ransomware Threat
Reducing the organizational risk posed by Ryuk ransomware and other malware can be quickly achieved by implementing an operationally-safe cybersecurity program, given the right tools and support, and following these best-practice cybersecurity guidelines:
- Patch any devices running OS/firmware and you can and look out for vendor-released updates
- Add an extra layer of protection by regularly updating the passwords for network systems, devices, and accounts, and make sure not to reuse any
- Disable any unnecessary remote access, RDP ports, etc.
- In the vein of Zero Trust security best-practices, configure ACLs with least privilege
- Constantly monitor for open or listening ports to ensure all communications are authenticated and verified
- Implement network segmentation