FBI Warns Hospitals on Ryuk Ransomware Credential Theft and Malicious DNS

A rumored ransomware threat to hundreds of US hospitals led to an unprecedented alert late Wednesday from the FBI, CISA and the Department of Health and Human Services. (Download a copy of the Alert.) But as hospitals and healthcare organizations attempt to assess their risk, they face an uphill battle against sophisticated, human-directed ransomware operations.

The alert follows reporting Wednesday by security reporter Brian Krebs of Krebs on Security, who said that online chatter between cybercriminals affiliated with the Ryuk ransomware gangs suggested that plans were afoot to deploy ransomware at more than 400 healthcare facilities in the U.S. Krebs’ source for the information was security expert Alex Holden of Milwaukee-based Hold Security.


[ If you want to learn more about how QOMPLX can help your company spot signs that may signal a ransomware attack in the making, contact our sales team now. ]


By late Wednesday, the FBI, CISA and HHS released a report providing detailed information on the threat including a number of indicators of compromise (IOCs) that healthcare organizations can use to determine if they have been the victim of a breach. Among those indicators are the deployment of known post-exploitation tools such as Mimikatz, Powershell Empire and Cobalt Strike, which are used to harvest credentials from systems within exploited environments.

Ryuk Attackers Live Off The Land

According to the joint Advisory, Ryuk actors use techniques common to other sophisticated, human operated ransomware operations. After gaining an initial foothold in an organization, attackers “will quickly map the network in order to enumerate the environment to understand the

scope of the infection.” Such activity relies on common administrative tools rather than malicious toolkits in order to blend in. Native utilities like Net View, Net Computers and Ping to identify network shares, Active Directory domain controllers and other IT assets of interest. Tools like PowerShell, Remote Desktop Protocol (RDP), Windows Management Instrumentation (WMI) and Windows Remote Management are used to move laterally from their initial point of entry to higher value IT assets such as domain controllers.

Once there, dual-use toolkits like Mimikatz, PowerShell Empire and Cobalt Strike enable credential theft and lateral movement: grabbing clear text passwords or password hash values from memory (Mimikatz), drop malware, log keystrokes and establish back channel command and control channels (Cobalt Strike), forge Kerberos tickets, and more. As we’ve noted: privilege escalation tools have become a standard component of many attacks and attacker toolkits.

In fact, according to a 2019 survey of over 500 enterprise incident response engagements, 70 percent of all cyber attacks involve attempts to laterally move across the network. And for 40 percent of survey respondents, lateral movement attempts occurred in 90 percent of their attack instances.

What’s more, after the financial services sector, the healthcare sector remains the second most vulnerable to these types of cyberattacks. About 61 percent of survey respondents saw these attacks on the healthcare sector.

Compromised systems targeted by the Ryuk gang are infected with the Trickbot malware, a banking Trojan that has evolved into a full featured framework for exploitation and infection. Ryuk ransomware infections are often secondary to Trickbot infections.

DNS Abused For Command and Control

The joint Advisory also highlights the Ryuk ransomware gang’s use of Domain Name System (DNS) to further their attack. Specifically, attackers are using a new Trickbot module dubbed Anchor_DNS that enables DNS tunneling to send commands to and from infected hosts. Encrypted DNS traffic is used to send and receive C2 traffic, making it difficult to discern from ordinary network traffic. According to the joint Advisory Anchor_DNS uses a single-byte XOR cipher to encrypt its communications, which have been observed using key 0xB9. Once decrypted, the string Anchor_DNS can be found in the DNS request traffic.

The Anchor module in Trickbot provides a range of features that further infections: posting an infection marker on compromised machines, relaying information about the infected host’s name, operating system and build and running scheduled tasks to maintain persistence on the compromised host system. After successful execution, Anchor_DNS is also used to deploy malicious batch scripts (.bat) using PowerShell commands.

The joint Advisory provides a list of domain names and IP addresses associated with the Anchor_DNS module. Outbound or inbound communications with those should be considered an indicator of compromise.

Mitigations and Best Practices

Ryuk actors use techniques common to other sophisticated, human operated ransomware operations, notes QOMPLX CISO Andy Jaquith. “After gaining an initial foothold in an organization, attackers quickly map the network and find ways to forge credentials and elevate their privileges, at which point their malicious activities become much harder to distinguish from typical administrator traffic.”

For healthcare organizations concerned that they have been or may be  targeted in this operation or another like it, there are a number of steps that can help limit exposure.

The first step for any organization is auditing your security and network monitoring tools to look for indicators of compromise or techniques common to Ryuk. The Advisory provides a list of such techniques, referenced to MITRE’s ATT&CK Framework for review.

Ben Tolen, QOMPLX’s Director of Security Operations notes that monitoring for indicators of compromise is critical, but also challenging. “The challenge is scope, scale and management of IOCs...because they are constantly changing (and) therefore tools and processes need to be put in place to manage these properly.”

Keep The Ryuk Out

Additionally, organizations should review their business continuity and disaster recovery plans and take immediate steps to close avenues of opportunity for gangs like Ryuk. Those steps include:

  • Conducting a detailed asset inventory that identifies critical IT assets
  • Making sure that up to date backups of all critical assets and data are in place, including offline backups
  • Use network segmentation to prevent lateral movement
  • Making sure endpoint protection software is deployed and up to date on all network assets
  • Patching exploitable application and operating system vulnerabilities as soon as possible.
  • Employing tools like nmap to scan their own perimeter networks, searching for misconfigurations (smb, rdp, ldap, etc)
  • Addressing any misconfigurations that may create opportunities for malicious actors
  • Updating passwords for all user and service accounts and ensuring any re-used or aged passwords are replaced with secure alternatives
  • Enforcing user “least privilege” policies on local systems)
  • Implementing multi-factor authentication wherever possible
  • Reviewing log files including Windows event logs, firewall logs, remote access logs, etc. for suspicious entries or patterns of activity
  • Audit Active Directory to make sure that any new accounts or changes to existing accounts are legitimate and accounted for

Securing Critical Controls Infrastructure (CCI)

Behind every program should be a focus on securing critical controls infrastructure such as Active Directory.  “All of these tools are re-written and changed constantly by attackers to get around detection,” said Tolen. “You will catch the low hanging fruit, but if they still have access they will just try again.”  

Monitoring the health and integrity of authentication is key to identifying suspicious activity, he said. “Organizations need to do a better job at IT health, like open Active Directory ports to the Internet,” he said. “If you aren’t protecting your front door, no number of IOCs will save you.”

Why QOMPLX

As we have noted, Active Directory credential theft and credential forgery tactics have been implicated in almost every large-scale ransomware attack and data breach in the last five years, including NotPetya, the world’s most costly cyber attack.

Presented with the challenge of sophisticated, human-directed ransomware campaigns, organizations need a fast and highly accurate, low-noise method of detecting key elements of these campaigns such as lateral movement, credential theft and privilege escalation and stealthy command and control communications.

Some of the world’s most sophisticated firms use QOMPLX to help them do just that. QOMPLX’s technology is demonstrating real-world effectiveness against human directec ransomware tactics today in some of the most security conscious organizations on the planet.

If you want to learn more about how QOMPLX can help your company spot otherwise surreptitious lateral movement to avoid damaging attacks, contact our sales team now to set up a discussion with QOMPLX security practitioners.