Ryuk ransomware aimed at healthcare providers is on the rise. On October 28, 2020 a joint cybersecurity taskforce made up of CISA, FBI, and HHS released an advisory warning that, based on credible intelligence, US healthcare providers are being specifically targeted by ransomware attackers. The advisory urged healthcare providers to remain vigilant and take preventative steps to avoid ransomware infections. They updated the advisory on October 29th to include further information related to the infections. For organizations already stretched and stressed providing care for those impacted by the COVID-19 pandemic, this warning comes at a particularly critical and challenging time.

While the advisory provides great information, I wanted to put together a short overview of the Ryuk ransomware and a quick checklist of steps you can take to increase your network security and reduce the risk of ransomware.

What is Ryuk Ransomware?

Ryuk is a particular strain of ransomware that first appeared in 2017 as part of the Hermes 2.1 ransomware, which was used in 2018 as the basis for Ryuk ransomware. The most common method of entry is through phishing emails, followed by unauthorized access to Remote Desktop Protocol (RDP). Most recently, Ryuk ransomware also used a deployment malware like Trickbot to infect networks. Ryuk generally encrypts files and adds a ‘.ryk’ extension to the end of the file name, although sometimes ‘hermes’ is part of the file name as well. Once in your network, Ryuk initially attempts to uninstall or deactivate anti-malware and antivirus software before beginning encryption. Decryptors are generally individualized to the infection, and there are currently no known public decryption tools. Typical ransoms are usually in the 6-figure range and are rising.

Ransomware Prevention Tips

While the advisory initially focuses on Ryuk ransomware, the update added other strains and malware including Conti, Trickbot, and BazarLoader. The following list is intended to provide a list of cybersecurity best practices to reduce the risk of any strain of ransomware on any network. While the list is long, focus on those steps that you can implement quickly first (depending on your environment) and then focus on the more complex steps. Remember to balance business needs with risk. If your users cannot get their work done, your security measures will be for nothing. Many of these tips have also been shared in other blog posts, but we have included them again, so you have everything in one place.

Authentication

  • Set a strong password policy – require a minimum of 14 characters and enforce it using technical controls.
  • Deploy a password manager to all staff. Given the number of systems we all use, none of us can be expected to remember that many 14-character passwords. Many modern password managers allow for enterprise rollout and management.
  • Use multi-factor authentication (MFA) for everything. If it’s available, turn it on. I know users dislike the extra time (I remember years ago when I faced the wrath of over 3,000 people for telling them they now had to take the time to enter a password instead of just hitting enter to log-in to their computer) but overtime, it becomes second nature.
  • Reset – if you have any concern that someone’s password has been compromised, reset it.
  • If a managed service provider (MSP) has access to your network, make sure that they are using strong and unique passwords. The password they use for your network should not be the same password they use for their other clients’ networks.

Access

  • Use virtual private networks (VPN) for any external access to internal systems and turn on MFA; a username and password is not enough anymore.
  • Restrict access to VPNs and remote desktop protocol (RDP) to only those who actively need it. Remove users as they no longer need it.
  • Use the least privilege model for file and server access.
  • Shutdown unnecessary RDP running on your network – internally as well as externally. Internal RDP can be used to spread malware laterally on your network.
  • Block IP addresses based on geographic location for high-risk areas. If your users have no need to do business with Nigeria, Russia, Iran, etc. block that traffic.

System Administration

  • Keep all your systems and applications up-to-date with the latest software and security patches.
  • Restrict the use of PowerShell to the administrator group only.
  • Look for unauthorized programs like Cobalt Strike or mimikatz on servers and workstations. While these tools have a valid use, they can also be abused.
  • Change default passwords on any device added to your network – including security cameras, speakers, and other Internet of Things (IoT) devices.
  • Make sure that your systems are maintaining adequate logs. Most devices default to 24 hours of log collection. At a minimum try for 6 months or logs, preferably up to 2 years. Make sure that they are readable.
  • Segment your network. Keep your high value data separate from workstations and publicly accessible servers.

Backups

  • Make sure that your backups are running.
  • Run regular test restores from your backups.
  • Store your backups off-site AND off-network.
  • If possible, make your backup files ‘read-only’ so that no changes can be made.

Acceptable Use

  • Don’t allow personal devices to be connected to your production network. If access is necessary, create a guest network for non-organization owned/managed devices.
  • Don’t allow users to check personal email or social media on their work devices or on your network.
  • Disallow unnecessary email attachments. Blocking all attachments isn’t likely possible in your environment, but you can control which attachments you allow to enter your network.
    • If you use Microsoft 365, here are a couple of quick wins:
      • Enable Microsoft 365 Safe Links
      • Restrict Microsoft 365 attachment types to only those required by your organization
    • Unless necessary, don’t allow users to enable macros.
  • Think about IoT devices. Does the smart toaster need to be on the production network?
  • Educate your employees and encourage them to report suspicious email or activity.

Obviously, not all businesses are able to take all the steps outlined above, and there is no magic solution to avoiding ransomware. However, this list is designed to give you some ideas and guidance on best practices. Pick and choose those that will work in your environment. Prioritize tasks that can be implemented quickly and easily using tools you already have, then move on from there.

Finally, if you need help, ask. None of us can know everything, so rely on expert help when you need it.