What Is Ryuk Ransomware? And Why It’s Healthcare’s Biggest Disruptor Since COVID-19

table of contents

Organizations in the healthcare sector have been valiantly fighting to save lives since the COVID-19 pandemic began, but they’ve also had to shift focus to another type of viral attack. Since March 2020, healthcare organizations in the U.S. have been hit with multiple cyberattacks from threat actors who want to make the most of any vulnerability in their systems. The latest to join the ranks of healthcare network threats is Ryuk, a ransomware that has victimized several medical organizations since September 2020.

What Is Ryuk Ransomware?

Like most ransomware attacks, Ryuk infiltrates networks and encrypts critical files while the cybercriminals behind the deployment demand ransom from the host in exchange for a decryption key. Ryuk was first discovered in 2018, and since then it has been successfully demanding ransoms to the tune of millions from private enterprises, hospitals, and local governments. It is largely believed that Ryuk is based on an older ransomware program called Hermes and is operated by a Russian-speaking cybercriminal group.1

How Does Ryuk Attack Hospitals?

Multiple threat detection agencies have found that Ryuk, like most other malware and ransomware, uses phishing emails to gain entry into the network. The emails are spoofed to make the user believe it’s from a trusted source. Opening the email attachment introduces either a Trickbot or a trojan into the host system. From there, the virus then collects admin credentials, allowing attackers to move laterally in the network to find critical assets. Once the attackers have access to high-value assets within the network, Ryuk is executed to encrypt these assets and demand a ransom payment in Bitcoin.

Learn about ColorTokens
Learn about ColorTokens' healthcare industry solutions Read More

Cyberattacks Targeting U.S. Healthcare Are on the Rise

On October 28, 2020, officials from the U.S. Department of Health and Human Services, U.S. Department of Homeland Security, and the Federal Bureau of Investigation held a conference call with healthcare industry executives warning about an “imminent cybercrime threat to U.S. hospitals and healthcare providers.” While Ryuk is the latest and probably the most dangerous ransomware threat to the healthcare industry, it is only one of several malware attacks that have been plaguing the sector since the beginning of 2020.

In March, ransomware groups Maze and REvil targeted healthcare organizations during the early days of COVID-19.2 University of California San Francisco School of Medicine officials paid a $1.14 million ransom demand to unlock encrypted files in June.3 In July, biotech firm Moderna, a frontrunner in producing a COVID-19 vaccine, was targeted by cyber espionage hackers with ties to the Chinese government.4 And in September, Universal Health Services, one of the primary U.S. healthcare chains, experienced a major cyberattack, resulting in failure of interconnected computer systems in over 400 locations. Media later reported that this cyberattack was attributed to Ryuk.5 (View an infographic on the timeline of cyberattacks on U.S. healthcare.) 

The Top 4 Ways Hospitals Can Prevent Ryuk Ransomware Attacks

As cyberattacks on hospitals and healthcare organizations increase during the COVID-19 pandemic, there is a real urgency to take proactive security measures to prevent business disruptions that can put patients’ lives in danger.

Hospitals can take these four steps to protect against Ryuk ransomware and to prevent malware from spreading if they do fall victim:

  1. Cyber Hygiene Education
  2. Endpoint Protection
  3. Microsegmentation
  4. Zero Trust Security
Download the Definitive Guide to Zero Trust Security
Download the Definitive Guide to Zero Trust Security Read More

1. Cyber Hygiene Education

Cybercriminals are very aware that people are the weakest link in the security chain, which is why phishing emails are a preferred mode of entry into an otherwise secured system. Education is the first and most basic step every healthcare organization should undertake. By teaching medical employees to identify suspicious emails and telling them not to click on unknown links or open unsolicited attachments, organizations can prevent being hacked.

2. Endpoint Protection

While basic antivirus is a bare-minimum security measure that needs to be in place, it cannot prevent sophisticated malware from exploiting system vulnerabilities. Instead, it is essential to lock down endpoints by leveraging whitelisting, blacklisting, and configurable security rules. This ensures that only the known good — files and applications that are deemed safe — are allowed to execute. All other applications that are unknown or suspicious are prevented from executing, including malware, ransomware, and zero-day attacks.

3. Microsegmentation

Exploits like Ryuk are financially motivated. The cybercriminals trigger the ransomware attacks only if they are able to access and encrypt critical and high-value healthcare assets — like PHI, or protected health information federally protected under the HIPAA Privacy Rule. To do this, they move laterally within the network, probing for open ports and firewall vulnerabilities. With microsegmentation, healthcare organizations can segment and isolate critical applications and assets. Once the segments have been defined, granular access controls can be implemented to allow authorized users access to only their assigned applications. Microsegmentation prevents both lateral movement and unauthorized access from compromised systems.

4. Zero Trust Security

Zero trust security is a cybersecurity approach that works on the principle of least privilege. Any user, device, or application is granted access only after it has been verified based on preset trust parameters. If the requestor cannot be verified on even one parameter, access is denied, and the request is deemed suspicious or unauthorized. By including zero trust principles in their security strategy, healthcare organizations can ensure that cybercriminals who gain entry via phishing or other means are detected early, and are restricted from moving laterally to gain access to critical infrastructure.

As the world fights against an unprecedented health crisis, the healthcare sector is playing the biggest role on the frontlines of the pandemic. Bad actors are showing that they are ruthless enough to take advantage of vulnerable medical facilities. But if healthcare organizations invest in proactive security solutions that are easy to deploy and implement, they can continue to focus on what they do best: save lives.

1. https://www.csoonline.com/article/3541810/ryuk-ransomware-explained-a-targeted-devastatingly-effective-attack.html
2. https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/
3. https://www.ucsf.edu/news/2020/06/417911/update-it-security-incident-ucsf
4. https://www.reuters.com/article/us-health-coronavirus-moderna-cyber-excl/exclusive-chinese-backed-hackers-targeted-covid-19-vaccine-firm-moderna-idUSKCN24V38M
5. https://www.healthcaredive.com/news/Ryuk-FBI-DHS-ransomware-healthcare/588019/