Hospital Ransomware COVID-19 Exploits
I. Targeted Industries
- General Businesses
- Government Agencies
Microsoft has recently released targeted notifications to several hospitals in regards to their gateway and virtual private network (VPN) appliances, which are particularly vulnerable to ransomware attacks. Microsoft has been specifically tracking the REvil (Sodinokibi) ransomware campaign. REvil employs human-operated ransomware attacks against organizations such as healthcare and medical facilities, which are some of the most vulnerable to disruptions caused by these attacks. These organizations are among the most vulnerable because they lack the time or resources for installing the latest patches or updating firewalls. The COVID-19 crisis leaves organizations such as hospitals even more vulnerable because of these reasons and therefore are a big part of Microsoft’s efforts for protecting critical services in these times.
III. Background Information
REvil (Sodinokibi) is associated with what are known to be human-operated ransomware campaigns. These are a step above the traditional ransomware attacks that usually are auto-spread, such as WannaCry and NotPetya. Additionally, the cybercriminals behind these attacks have a deep understanding of system administration and network security misconfigurations. They employ credential theft and lateral movement methods typically seen in nation-state attacks. Human-operated ransomware typically begins the adversarial journey by gaining entrance into a network through misconfigured or outdated web servers. It then proceeds with commodity malware infection and performs thorough reconnaissance to exploit weak security controls. Credential theft is then achieved, and eventually, privileges are escalated. Lastly, lateral movement is possible, and security controls are disabled. The Microsoft team stated that the intel they have gathered follows the REvil malware infrastructure used on campaigns seen last year and the infrastructure of recent VPN attacks. Overall, there are no novel attack techniques; however, there are instead repurposed tactics from nation-state attacks that exploit and prey on the urgent need for information during the COVID-19 crisis.
Microsoft’s immediate recommendations include:
- Security Updates for VPN and Firewalls
Ensure that the VPN is updated and has all the correct configurations. Patches and the latest security updates should be implemented and installed.
Recommended Links: https://www.us-cert.gov/ncas/alerts/aa20-073a and https://www.nist.gov/blogs/cybersecurity-insights/preventing-eavesdropping-and-protecting-privacy-virtual-meetings
- Closely Monitor Remote Access Infrastructure
Unusual activity in event logs should be investigated immediately. Ensure there is a password reset for all accounts in case of compromise.
- Turn on Attack Surface Reduction Rules
Include rules that block credential theft and ransomware activity.
- Turn on AMSI for Office VBA
If the organization is using Office 365.
- Limit Privileges
Implementing account controls can limit what a user and program can do without proper permission. Users will also be notified when changes or modifications are attempted.
- Password Security
Implement password management processes.
Recommended link: https://www.us-cert.gov/ncas/current-activity/2018/03/27/Creating-and-Managing-Strong-Passwords
Further recommendations and mitigation steps from Microsoft can be found at the following link:
V. Indicators of Compromise (IOCs)
The link below has been included to assist with the download of some identified IOC’s related to this Threat Advisory Report. Be on the lookout for these IOC’s, as well as anything that looks similar.
“Human-Operated Ransomware Attacks: A Preventable Disaster.” Microsoft Security,
March 28, 2020. https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/.
Landi, Heather. “Microsoft Warns Hospitals of Sophisticated Ransomware Attacks
Targeting Remote Workforce.” FierceHealthcare, April 1, 2020. https://www.fiercehealthcare.com/tech/microsoft-warns-hospitals-sophisticated-ransomware-attacks-targeting-remote-workforce.
“Microsoft Works with Healthcare Organizations to Protect from Popular Ransomware during COVID-19 Crisis: Here’s What to Do.” Microsoft Security, April 1,2020.
Muncaster, Phil. “Hospitals VPNs Targeted by Ransomware as COVID19 Takes Its Toll.” Infosecurity Magazine, April 2, 2020. https://www.infosecurity-magazine.com/news/hospitals-vpns-ransomware-covid19/
Tung, Liam. “Coronavirus: Microsoft Directly Warns Hospitals, ‘Fix Your Vulnerable VPN Appliances’.” ZDNet, April 1, 2020. https://www.zdnet.com/article/coronavirus-microsoft-directly-warns-hospitals-fix-your-vulnerable-vpn-appliances/
Waldman, Arielle. “Microsoft Warns Hospitals of Impending Ransomware Attacks.” SearchSecurity. TechTarget, April 3, 2020. https://searchsecurity.techtarget.com/news/252481164/Microsoft-warns-hospitals-of-impending-ransomware-attacks