As if the recent uptick in national COVID-19 cases and hospitalizations were not enough to tax an already beleaguered health system, on October 28, 2020, three federal agencies issued a cybersecurity Joint Advisory warning of a credible threat of “increased and imminent cybercrime” targeting U.S. hospitals and public sector healthcare providers. In the Joint Advisory, the Cybersecurity and Infrastructure Agency (CISA), FBI and the Department of Health and Human Services (HHS) warned that malicious cyber actors are targeting the public health sector with Trickbot malware that can lead to ransomware attacks, data theft, and disruption of healthcare service.
The Joint Advisory focused on Trickbot malware known as “Anchor,” which cyber actors use to target high-profile victims such as large corporations. Anchor works as a backdoor to allow victims’ machines to communicate with servers over Domain Name Systems (DNS) to evade typical network defenses. This enables malicious communications to blend in with legitimate DNS traffic. Anchor is particularly aggressive malware that schedules tasks every 15 minutes to persistently attack victims’ machines.
An Anchor Trickbot infection implants Ryuk malware into systems for financial gain. Ryuk ransomware targets victims that malicious actors perceive to have the ability to pay exorbitant sums of money. Ryuk ransomware often goes undetected until days or months after the initial infection. This allows the malicious actor sufficient time to surveil the infected network to identify critical network systems and users, or to shut down or uninstall critical security applications that would otherwise prevent ransomware from executing.
In the Joint Advisory, CISA, FBI and HHS encourage healthcare organizations to maintain or reinforce their business continuity plans, and to ensure that they are following best practices for cybersecurity, including, for example:
- Patching operating systems, software and firmware as soon as manufacturers release updates;
- Regularly changing passwords to network systems and accounts;
- Using multi-factor authentication where possible; and
- Identifying critical assets and creating backup systems, and housing those backup systems offline from the network.
Organizations should review the Joint Advisory’s list of indicators of Trickbot infection, as these are key indicators of an imminent ransomware attack. For example, organizations should, at a minimum, search their C:\\Windows directories for suspicious 12-character .exe files, or “anchorDiag.txt” files.
All organizations, whether in the healthcare public sector or not, should note and implement the recommendations in the Joint Advisory. The best defense to a ransomware attack is frequent, if not daily, backups of critical files and network systems to neutralize the threat of inaccessible data. Paying a ransomware demand does not ensure recovery of stolen or compromised data, and may run afoul of federal regulations prohibiting payments to foreign actors. Now is the time to immediately back up data, password protect backup copies offline, and maintain backup servers in a separate physical location.