The FBI and DHS-CISA issued a warning on October 28, 2020 about an imminent threat to hospitals and healthcare providers. They represent that they have credible information to suggest there will be a widespread Ryuk ransomware attack this weekend (October 30 – November 1), and the FBI, DHS, and the NSA's Cybersecurity Threat Operations Center are currently investigating the matter.

If the alert is well-founded, most of the targeted networks have likely already been infected. Absent a robust endpoint monitoring tool, the malware is generally successful in accessing and residing within networks for days or weeks prior to the execution of an encryption attack. 

Ryuk attacks have typically been preceded by Trickbot, a multi-functional banking Trojan. Similarly, Trickbot has commonly been disseminated by Emotet, another sophisticated banking Trojan. 

Ryuk, Trickbot, and Emotet – each a part of continuously evolving strains – are designed to evade detection. Together, they form a dangerous combination for accessing systems, wiping backups, and encrypting networks. It is recommended that hospitals and healthcare providers implement the following measures as soon as possible:

  • Test the integrity of backups;
  • Ensure process for preservation of backups;
  • If backup systems are not currently air gapped, temporarily air gap priority system backups;
  • Ensure backup of medical records, and maintain a 3-2-1-backup strategy (maintain three copies, two on different storage media, and one offsite);
  • If an endpoint detection and response product is deployed, ensure it is deployed to all endpoints;
  • Expedite security patching for applications and systems;
  • Power down systems when not in use;
  • Rehearse information technology lockdown protocols and processes, and ensure ownership of tasks for specific systems;
  • Establish and practice out of band, non-VoIP, communications;
  • Review and maintain paper copy of incident response plan; 
  • Review and maintain paper copy of business continuity plan;
  • Maintain paper copy of contact information for key personnel;
  • Prepare to maintain continuity of operations;
  • Ensure sufficient staffing to maintain continuity of operations due to information technology outage;
  • Be prepared to reroute patients if patient care is disrupted due to information technology outage; and
  • If an attack is detected and additional resources are needed, contact Lewis Brisbois' 24/7 Data Breach Response Team at 844.312.3961 or breachresponse@lewisbrisbois.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.