The recent nationwide UHS ransomware attack has led to an increased need for vigilance of the Ryuk ransomware strain. Since August 2018, the Ryuk ransomware strain has been one of the most prevalently distributed and costly ransomware variants reported. The objective of the threat actors is to target organizations, regardless of industry, with high revenue to extort higher ransom payments. The threat actors have proved to be highly adaptable, utilizing multiple initial infection vectors and techniques for network compromise with the goal of data encryption. Traditionally spread by commodity trojans such as Emotet and Trickbot, the subsequent Ryuk attack chain is largely fileless and leverages “living off the land techniques” to blend in with an organization’s existing infrastructure.
Enterprise Level Mitigations Include:
Configure email gateways for preemptive blocking of malware distribution campaigns
Conduct user training to decrease the success of phishing campaigns
Disable macros in documents
Block communication with Emotet command and control infrastructure
Enable PowerShell logging
Schedule backups of data and ensure they are kept offline in a separate and secure location.
Implement security alerting to identify open source hack and malware tools including: Bloodhound, PowerShell Empire, Sharphound
Disable or secure and monitor Remote Desktop Protocol
Disable or intensely limit and monitor the usage of PsExec
If remote access is needed, audit access, ensure that login credentials are complex, and implement a 2FA solution to prevent unauthorized access.
Follow the principle of least privilege for all user accounts
Set a network performance baseline for network monitoring to aid in detecting anomalous movement
Ensure that endpoint protection suites, or EDR solutions, offer detailed visibility and can exhibit scripts ran on endpoints
MI|HSOC Enhanced Monitoring
Mi|HSOC Enhanced RYUK Monitoring The Ryuk ransomware outbreak suffered by Universal Health Services provides the healthcare community great insight into the impact and significance of the Ryuk Ransomware threat. In response, the Mi|HSOC has implemented several additional monitoring and detection capabilities focused on known Emotet, Trickbot, and Ryuk TTPs and IOCs.
1) Current known indicators of compromise resulting from the UHS Ryuk incident have been ingested into the Mi|HSOC SOAR platform for correlation against participant signal. 2) Mi|HSOC engineers have built integrations with intelligence several intelligence feeds updated hourly with Emotet, Trickbot, and Ryuk specific indicators of compromise. 3) If any participant alerting indicates a correlation with Emotet, Trickbot, or Ryuk IOCs, a new threat activity alert will be created in the SOAR platform with a significant increased priority. These alerts will be triaged in real time and escalated to the originating participant after analyst verification. 4) Mi|HSOC analysts are executing ad hoc threat hunting focused on identifying known TTPS. 5) Mi|HSOC SME liaisons will be working with each participant to understand any organization gaps in the prevention and detection of the Ryuk ransomware threat.
For more information on enhanced Ryuk monitoring and detection, please reach out to Mi|HSOC or CyberForce|Q at firstname.lastname@example.org.