Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Products & Solutions

Coverage Advisory for Ransomware Activity Targeting Healthcare and Public Health Sector

JITHIN NAIR - Sr Manager, Security Research
November 02, 2020 - 3 min read


A joint cybersecurity advisory was released by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) related to an increased cybercrime threat to U.S. hospitals and healthcare providers from ransomware, notably Ryuk and Conti

What is the issue?

CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers from ransomware like Ryuk and Conti. These ransomwares have been deployed by malware belonging to Trickbot and BazarLoader/BazarBackdoor families. Cybercriminals disseminate TrickBot and BazarLoader via phishing campaigns that contain either links to malicious websites that host the malware or attachments with the malware. Loaders start the infection chain by distributing the payload; they deploy and execute the backdoor from the C2 server and install it on the victim’s machine. TrickBot or BazarLoader infection can lead to deployment of ransomware, such as Ryuk and Conti.

What systems are impacted?

All machines running Windows operating system.

What can you do to protect yourself?

We recommend making periodic backups of all the important data and keeping those backups isolated off the network. It is equally important to have updated security software and the latest software patches applied to the endpoints. Remote Desktop service access should always be restricted, or it should be turned off if not used. As always, avoid opening suspicious emails containing attachments or links that come from any unknown sources. Disable macros in Office programs. Do not enable them unless it is essential to do so. Enable multi-factor authentication (MFA) across both business and personal email accounts to thwart most credential harvesting attacks.

Zscaler coverage

  • Advanced Threat Protection
  • Malware Protection
  • Advanced Cloud Sandbox

Details related to these threat signatures can be found in the Zscaler Threat Library.

Zscaler had also published detailed analysis blogs for Ryuk, Trickbot and Bazarloader.

Our Cloud Sandbox Report for Ryuk ransomware executable can be seen in Figure 1.

Cloud Sandbox Report for Ryuk Ransomware
Fig 1: Cloud Sandbox Report for Ryuk Ransomware

Our Cloud Sandbox Report for the Conti ransomware executable can be seen in Figure 2.

Cloud Sandbox Report for Conti Ransomware

Fig 2: Cloud Sandbox Report for Conti Ransomware

The Zscaler Cloud Sandbox provides proactive coverage against advanced threats such as ransomware and banker trojans. The Zscaler ThreatLabZ team is also actively monitoring Trickbot, BazarLoader, Ryuk and Conti malware families and ensuring coverage for all the latest IOCs associated with these malware.


  1. https://us-cert.cisa.gov/ncas/current-activity/2020/10/29/microsoft-warns-continued-exploitation-cve-2020-1472
  2. https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware
  3. https://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks
  4. https://www.zscaler.com/blogs/research/examining-ryuk-ransomware

Explore more Zscaler blogs

Technical Analysis of CryptNet Ransomware
Read Post
Trigona ransomware
Technical Analysis of Trigona Ransomware
Read Post
Nevada ransomware
Nevada Ransomware: Yet Another Nokoyawa Variant
Read Post
Ransomware hacker
Nokoyawa Ransomware: Rust or Bust
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.