TTCSIRT-THREAT ALERT: Ransomware Activity Targeting the Healthcare and Public Health Sector

Please be advised, there is an observed significant increase in ransomware attacks targeting Healthcare and the Health Sector in neighboring countries. Ransomware is a type of malware that prevents users from accessing their system or files and demands a ransom payment in order to regain access.

Threat actors have also threaten to publish or sell the victim’s sensitive data if they refuse to pay however paying the ransom does not guarantee that an organization will regain access to their data.

TT-CSIRT is urging all entities to adopt a heighten state of awareness and be guided by the following:

Attack Vectors
Ransomware attacks can be initiated through multiple attack vectors. The most prominent ones that TT-CSIRT has seen used against local entities are:

• Exploiting system vulnerabilities (particularly outdated firewall devices and exposed remote desktop protocol)
• Phishing emails with infected attachments or links
• Compromising user credentials

These threat actors increasingly use loaders—like TrickBot and BazarLoader (or BazarBackdoor)—as part of their malicious cyber campaigns. Cybercriminals disseminate TrickBot and BazarLoader via phishing campaigns that contain either links to malicious websites that host the malware or attachments with the malware. Loaders start the infection chain by distributing the payload; they deploy and execute the backdoor from the command and control (C2) server and install it on the victim’s machine.

TrickBot Indicators of Compromise
After successful execution of the malware, TrickBot copies itself as an executable file with a 12-character randomly generated file name (e.g. mfjdieks.exe) and places this file in one of the following directories.

• C:\Windows\
• C:\Windows\SysWOW64\
• C:\Users\[Username]\AppData\Roaming\

When ransomware is deployed and installed by the threat actors, it will then seek to encrypt documents and files within the computer and other connected systems on the network. Once the ransomware has completed file encryption, it creates and displays a ransom note containing instructions on how the victim can pay the ransom. Again, payment of the ransom does not guarantee that an organization will regain access to their data.

Network Best Practices

• Patch operating systems, software, and firmware as soon as manufacturers release updates.
• Check configurations for every operating system version for organization-owned assets to prevent issues from arising that local users are unable to fix due to having local administration disabled.
• Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.
• Use multi-factor authentication where possible.
• Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
• Implement application and remote access allow listing to only allow systems to execute programs known and permitted by the established security policy.
• Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
• Audit logs to ensure new accounts are legitimate.
• Scan for open or listening ports and mediate those that are not needed.
• Identify critical assets such as patient database servers, medical records; create backups of these systems and house the backups offline from the network.
• Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.
• Set antivirus and anti-malware solutions to automatically update; conduct regular scans.

If you become infected, isolate the affected system(s) immediately by removing the infected system from all networks, and disable all potential networking capabilities. Ensure all shared and networked drives are disconnected whether wired or wireless. Infected systems will have to be analyzed by your security team or your security provider to determine whether the encrypted data is recoverable.

For further details on this threat alert, visit the link below:
Alert (AA20-302A)