On Oct. 28, a joint cybersecurity advisory was published by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the Department of Health & Human Services. The advisory warned of an imminent cybercrime threat to U.S. hospitals and healthcare providers – specifically that a large-scale ransomware attack may be on the very near horizon. BakerHostetler’s coverage of the initial alert, including proactive measures organizations can take, can be found here.

On Oct. 29, the advisory was updated with a number of substantive and helpful data points:

• The alert now acknowledges that TrickBot, not just Ryuk, is being used heavily to deploy Conti ransomware.
• The alert now includes Bazarloader, in addition to TrickBot, as a common loader.
• The alert provides additional attack vector information, specifically detailing the phishing campaign indicators of compromise (IOCs) and common names of malicious email attachments.
• The alert provides additional TrickBot IOCs, including malicious file names and subdirectory locations.
• The alert provides TrickBot YARA rules that can be used to identify files that may be associated with TrickBot.

The updated alert can be found here.

The initial advisory also sets forth some network and ransomware best practices, including:

• Regularly back up data, air gap and password protect backup copies offline.
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.

To address this and other threats, healthcare organizations should also review or establish patching plans, security policies, user agreements and business continuity plans to ensure they address these current threats posed by malicious cyber actors.

BakerHostetler is actively monitoring the release of new information about the threat and will provide updates on this developing story as they become available.