December 4, 2020

Volume X, Number 339

Advertisement

December 03, 2020

Subscribe to Latest Legal News and Analysis

December 02, 2020

Subscribe to Latest Legal News and Analysis

December 01, 2020

Subscribe to Latest Legal News and Analysis

Federal Agencies Partner to Warn Healthcare Systems of Imminent Cyber Threat

US hospitals and healthcare systems should be on high alert after a rare joint advisory issued by the Federal Bureau of Investigation (FBI), the Cybersecurity Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) warning all US hospitals and healthcare providers of an “increased and imminent cybercrime threat to US hospitals and healthcare providers.” The joint advisory can be found here.

In Depth


In the advisory released late in the evening of October 28, 2020, the FBI, CISA and HHS warned against the threat of Ryuk ransomware, which is often deployed using Trickbot malware or other exploitation tools, and can spread quickly across an affected organization’s networks, disabling their systems. These agencies received credible intelligence of malicious threat actors targeting approximately 400 healthcare providers in the United States with Ryuk attacks.

Large-scale ransomware attacks during an upsurge of COVID-19 cases and hospitalizations would present a significant challenge to an already burdened healthcare system, as is noted in the advisory. The agencies’ warning is intended to provide hospitals and healthcare providers with information they need to take steps to protect their network before infection and to provide guidance on responding to ransomware attacks to those entities which have already been compromised. The advisory explains how Ryuk and Trickbot are deployed and spread, and provides indicators of compromise (IOCs) associated with such attacks, along with key tips on network protection and ransomware response best practices. If your organization is targeted by a ransomware attack, note that US law enforcement agencies do not recommend paying the ransom. The Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory earlier this month reminding victim entities that paying a ransom to a threat actor that is either a sanctioned entity or covered by comprehensive country or region sanctions is a violation of OFAC regulations and may result in civil penalties.

If your organization is the target of a cyberattack, we encourage you to consult with legal counsel immediately. Forensic vendors are reporting a spike in cybersecurity incidents and may be at capacity and unable to provide immediate service. Consider lining up third-party resources ahead of time to be on standby.

Indicators of Compromise

Below is the list of IOCs CISA, FBI and HHS identified in their advisory. Separately, cybersecurity incident response firm Mandiant also released a list of domains and Internet Protocol (IP) addresses used by Ryuk in previous attacks this year. Please review your systems for these IOCs, and if found, take immediate steps to protect your network and data.

After successful execution of the malware, Trickbot copies itself as an executable file with a 12-character (includes .exe), randomly generated file name (e.g. mfjdieks.exe) and places this file in one of the following directories.

  • C:\Windows\

  • C:\Windows\SysWOW64\

  • C:\Users\[Username]\AppData\Roaming\

The malware may also drop a file named anchorDiag.txt in one of the directories listed above.

Prior to initiating communications with the C2 server, the malware uses an infection marker of Global\fde345tyhoVGYHUJKIOuy, typically found in the running memory of the victim machine.

Part of the initial network communications with the C2 server involves sending information about the victim machine such as its computer name/hostname, operating system version, and build via a base64-encoded GUID. The GUID is composed of /GroupID/ClientID/ with the following naming convention:

/anchor_dns/[COMPUTERNAME]_[WindowsVersionBuildNo].[32CharacterString]/.

The malware uses scheduled tasks that run every 15 minutes to ensure persistence on the victim machine. The scheduled task typically uses the following naming convention.

[random_folder_name_in_%APPDATA%_excluding_Microsoft]

autoupdate#[5_random_numbers] (e.g., Task autoupdate#16876).

After successful execution, Anchor_DNS further deploys malicious batch scripts (.bat) using PowerShell commands.

The malware deploys self-deletion techniques by executing the following commands.

  • cmd.exe /c timeout 3 && del C:\Users\[username]\[malware_sample]

  • cmd.exe /C PowerShell \”Start-Sleep 3; Remove-Item C:\Users\[username]\[malware_sample_location]\”

The following domains found in outbound DNS records are associated with Anchor_DNS.

  • kostunivo[.]com

  • chishir[.]com

  • mangoclone[.]com

  • onixcellent[.]com

This malware used the following legitimate domains to test internet connectivity.

  • ipecho[.]net

  • api[.]ipify[.]org

  • checkip[.]amazonaws[.]com

  • ip[.]anysrc[.]net

  • wtfismyip[.]com

  • ipinfo[.]io

  • icanhazip[.]com

  • myexternalip[.]com

The Anchor_DNS malware historically used the following C2 servers.

  • 23[.]95[.]97[.]59

  • 51[.]254[.]25[.]115

  • 193[.]183[.]98[.]66

  • 91[.]217[.]137[.]37

  • 87[.]98[.]175[.]85

© 2020 McDermott Will & EmeryNational Law Review, Volume X, Number 303
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Laura E. Jehl Partner Global Privacy & Cybersecurity  Autonomous Vehicles  Compliance  Consumer Data & Digital Marketing  Cross-Border Data Protection  Data Breach Management  Data Licensing & Strategies  Employer Data Privacy  Health Information Privacy  Information Security & Risk Mitigation  Privacy Litigation & Governmental Investigations  FinTech and Blockchain  Technology & Commercial Transactions  Telecommunications Transactions  Energy  Food, Beverage & Agribusiness  Healthcare  Technology  Alcohol
Partner

Laura Jehl serves as global head of the Firm’s Privacy and Cybersecurity Practice. Focusing on the intersection of data, law and emerging technologies, Laura advises clients on a broad range of privacy and cybersecurity issues. She has extensive experience identifying and mitigating privacy and data protection issues arising out of the collection, use and storage of data as well as the design of new business models, products and technologies. With unique experience as a former senior in-house counsel and C-suite executive, she understands the business, legal and...

202-756-8930
Lynette Ryan Arce Cybersecurity Lawyer McDermott
Associate

Lynette Arce focuses her practice in privacy and data security matters. She assists clients with drafting domestic privacy policies in accordance with state and federal laws, as well as custom incident response plans in the event of a breach. She also assesses companies cybersecurity preparedness and cyber risk exposure in the context of corporate mergers and acquisitions. Lynette is a Certified Information Privacy Professional (CIPP/US) by the International Association of Privacy Professionals (IAPP).

While in law school, Lynette was a member...

312 984 2759
Advertisement
Advertisement