Zscaler Cloud Platform

Coverage Advisory for Ransomware Activity Targeting Healthcare and Public Health Sector

Background

A joint cybersecurity advisory was released by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) related to an increased cybercrime threat to U.S. hospitals and healthcare providers from ransomware, notably Ryuk and Conti

What is the issue?

CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers from ransomware like Ryuk and Conti. These ransomwares have been deployed by malware belonging to Trickbot and BazarLoader/BazarBackdoor families. Cybercriminals disseminate TrickBot and BazarLoader via phishing campaigns that contain either links to malicious websites that host the malware or attachments with the malware. Loaders start the infection chain by distributing the payload; they deploy and execute the backdoor from the C2 server and install it on the victim’s machine. TrickBot or BazarLoader infection can lead to deployment of ransomware, such as Ryuk and Conti.

What systems are impacted?

All machines running Windows operating system.

What can you do to protect yourself?

We recommend making periodic backups of all the important data and keeping those backups isolated off the network. It is equally important to have updated security software and the latest software patches applied to the endpoints. Remote Desktop service access should always be restricted, or it should be turned off if not used. As always, avoid opening suspicious emails containing attachments or links that come from any unknown sources. Disable macros in Office programs. Do not enable them unless it is essential to do so. Enable multi-factor authentication (MFA) across both business and personal email accounts to thwart most credential harvesting attacks.

Zscaler coverage

  • Advanced Threat Protection
    Win32.Downloader.BazarLoader
    Win64.Downloader.BazarLoader
    Win32.Backdoor.Bazar
    Win64.Backdoor.Bazar

    Win32.Backdoor.Anchorbot
    Win32.Banker.TrickBot
    Win64.Banker.TrickBot
    Win64.Ransom.Ryuk
    Win32.Ransom.Ryuk
    Win32.Ransom.Conti
  • Malware Protection
    W64/Ransom.Ryuk.A.gen!Eldorado
    W32/Trojan.BVXG-5604
    W32/Trojan.XFWW-7740
    W64/Agent.BYF.gen!Eldorado
    W32/Trojan.MLJJ-9184
    W32/Trojan.DYOA-8084
    W64/Trojan.QDKO-4869
  • Advanced Cloud Sandbox
    Win32.Ransom.Ryuk
    Win32.Ransom.Conti
    Win32.Banker.Trickbot

     

Details related to these threat signatures can be found in the Zscaler Threat Library.

Zscaler had also published detailed analysis blogs for Ryuk, Trickbot and Bazarloader.

Our Cloud Sandbox Report for Ryuk ransomware executable can be seen in Figure 1.

Cloud Sandbox Report for Ryuk Ransomware
Fig 1: Cloud Sandbox Report for Ryuk Ransomware

Our Cloud Sandbox Report for the Conti ransomware executable can be seen in Figure 2.

Cloud Sandbox Report for Conti Ransomware

Fig 2: Cloud Sandbox Report for Conti Ransomware

The Zscaler Cloud Sandbox provides proactive coverage against advanced threats such as ransomware and banker trojans. The Zscaler ThreatLabZ team is also actively monitoring Trickbot, BazarLoader, Ryuk and Conti malware families and ensuring coverage for all the latest IOCs associated with these malware.

References

  1. https://us-cert.cisa.gov/ncas/current-activity/2020/10/29/microsoft-warns-continued-exploitation-cve-2020-1472
  2. https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware
  3. https://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks
  4. https://www.zscaler.com/blogs/research/examining-ryuk-ransomware

Stay up to date with the latest digital transformation tips and news.

By clicking the submit button, you are agreeing to our privacy policy.