The FBI has warned that US hospital systems are facing ‘imminent’ threat of cyber attacks.
In light of this, the ThreatConnect research team has identified several sets of infrastructure associated with ongoing Ryuk activity – the type of ransomware the criminal threat group known as UNC1878 / Wizard Spider has used to target US hospital networks and the proactive measures needed to defend against it.
Our research team has identified several sets of infrastructure associated with ongoing Ryuk activity – the type of ransomware a criminal threat group known as UNC1878 / Wizard Spider has used to target US hospital networks and an Italian IT services company. Since late September, we’ve identified numerous Ryuk domains based on consistencies with their previously identified infrastructure.
The domain consistencies include naming similarities, SSL certificate subject string reuse, registration through one of a few resellers/registrars, and reuse of various Internet service providers (ISPs), and in some cases small Classless Inter-Domain Routing (CIDR) blocks, for hosting their domains. In and of themselves, those consistencies are not unique to these Ryuk operations; however, taken in conjunction, they are traits that defenders can proactively exploit to hunt for new infrastructure that may be associated with this campaign.
While we do not have specific insight into the operations and targets of this campaign, based on news reports, defenders at healthcare and IT services organisations should be on their guard and consider proactive measures for defending against Ryuk. Malicious actors using ransomware most likely see these sectors as a treasure trove due to the personal and sensitive data held by these organisations and the crucial services that they provide. Potential targets should understand as much as they can about the threats they face, including the malware and infrastructure they employ. This campaign also highlights the need for increased intelligence sharing, within and among targeted organizations and sectors, so affected organizations have the specific intelligence they need to defend against the threats they are facing.
By having a direct understanding of the threats they face, organisations will be able to develop strategies that address attacks, proactively defend against them, and respond quickly to limit the impact of adversaries.