Cisco Talos has become aware that an adversary is leveraging Trickbot banking trojan and Ryuk ransomware to target U.S. hospitals and healthcare providers at an increasing rate. Security journalists reported on October 28, 2020 that the adversary was preparing to encrypt systems at “potentially hundreds” of medical centers and hospitals, based on a tip from a researcher who had been monitoring communications for the threat actor. On October 28 and 29, these claims were supported by the reports of six U.S. hospitals being compromised with Ryuk in the span of 24 hours.
CISA, the FBI, and HHS also confirmed this activity targeting the Healthcare and Public Health Sector, releasing a joint advisory on October 28, 2020. The advisory stated that the Ryuk actors were using Trickbot to target the industry and that the activity posed an “increased and imminent” threat. They also published technical indicators for both Trickbot and Ryuk.
Talos has years of experience dealing with Trickbot, Ryuk, and other tools used by the adversary. We are currently supporting customers who are affected and working hand-in-hand with federal law enforcement to support their investigations. We are also supporting other law enforcement and federal agencies as well.
If you have a customer that has been impacted by an attack, ransomware or otherwise, the first course of action is to engage Cisco Talos Incident Response Services (CTIR).
For emergencies, call 1-844-831-7715 to reach the Technical Assistance Center (TAC), who will then put you in touch with members of CTIR who are on call. Account managers can also email IRSalesSupport@cisco.com and visit http://go2.cisco.com/CTIRSales.