Joint Federal Agency Advisory Warns of Imminent Ransomware Threats to the Healthcare and Public Health Sector

Bilzin Sumberg

Bilzin Sumberg

As if the recent uptick in national COVID-19 cases and hospitalizations were not enough to tax an already beleaguered health system, on October 28, 2020, three federal agencies issued a cybersecurity Joint Advisory warning of a credible threat of “increased and imminent cybercrime” targeting U.S. hospitals and public sector healthcare providers. In the Joint Advisory, the Cybersecurity and Infrastructure Agency (CISA), FBI and the Department of Health and Human Services (HHS) warned that malicious cyber actors are targeting the public health sector with Trickbot malware that can lead to ransomware attacks, data theft, and disruption of healthcare service.

The Joint Advisory focused on Trickbot malware known as “Anchor,” which cyber actors use to target high-profile victims such as large corporations. Anchor works as a backdoor to allow victims’ machines to communicate with servers over Domain Name Systems (DNS) to evade typical network defenses. This enables malicious communications to blend in with legitimate DNS traffic. Anchor is particularly aggressive malware that schedules tasks every 15 minutes to persistently attack victims’ machines.

An Anchor Trickbot infection implants Ryuk malware into systems for financial gain. Ryuk ransomware targets victims that malicious actors perceive to have the ability to pay exorbitant sums of money. Ryuk ransomware often goes undetected until days or months after the initial infection. This allows the malicious actor sufficient time to surveil the infected network to identify critical network systems and users, or to shut down or uninstall critical security applications that would otherwise prevent ransomware from executing.

In the Joint Advisory, CISA, FBI and HHS encourage healthcare organizations to maintain or reinforce their business continuity plans, and to ensure that they are following best practices for cybersecurity, including, for example:

  • Patching operating systems, software and firmware as soon as manufacturers release updates;
  • Regularly changing passwords to network systems and accounts;
  • Using multi-factor authentication where possible; and
  • Identifying critical assets and creating backup systems, and housing those backup systems offline from the network.

Organizations should review the Joint Advisory’s list of indicators of Trickbot infection, as these are key indicators of an imminent ransomware attack. For example, organizations should, at a minimum, search their C:\\Windows directories for suspicious 12-character .exe files, or “anchorDiag.txt” files.

All organizations, whether in the healthcare public sector or not, should note and implement the recommendations in the Joint Advisory. The best defense to a ransomware attack is frequent, if not daily, backups of critical files and network systems to neutralize the threat of inaccessible data. Paying a ransomware demand does not ensure recovery of stolen or compromised data, and may run afoul of federal regulations prohibiting payments to foreign actors. Now is the time to immediately back up data, password protect backup copies offline, and maintain backup servers in a separate physical location.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bilzin Sumberg | Attorney Advertising

Written by:

Bilzin Sumberg

Bilzin Sumberg on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.