Recent Posts

Recent Blog Posts

The PhishLabs Blog

Ryuk Ransomware Targeting Healthcare

Posted by The PhishLabs Team on Oct 29, '20

Ryuk Ransomware Targeting HealthcareAs if the COVID-19 pandemic were not enough, the healthcare sector is now being actively targeted by threat actors using Ryuk ransomware. Yesterday, the FBI issued an increased and imminent cyber threat warning amid growing reports of healthcare providers falling victim to the campaign. The threat actors are using Trickbot (delivered via Emotet) to gain access to target systems and deploy Ryuk. 
 
The attacks reinforce an ongoing trend of ransomware actors strategically targeting victims that have less tolerance for downtime and a high incentive to pay the ransom. Healthcare providers already under stress from the COVID-19 pandemic may be in a poor position to say no when confronted with a ransomware attack that significantly degrades their ability to provide patient care. In September, a patient with a life-threatening condition died after a ransomware attack on a German hospital forced her to be rerouted to a more distant facility. 
 
The campaign uses email lures to deploy Emotet as the initial stage. Once infected with Emotet, Trickbot is loaded onto the compromised system. The threat actors then use Trickbot to gain access to high value targets (such as domain controllers) and deploy Ryuk ransomware across the network. 
 
The email lures often masquerade as corporate communications and link to a compromised site hosting Emotet. Many of the emails include recipient specific information such as name of employer in the subject line or email body.
 
Emotet
Example email lure
 
It’s worth noting that this campaign impacting healthcare providers comes after recent efforts by U.S. Cyber Command, Microsoft, and others to disrupt the Trickbot botnet. 
 
Recently-Observed Threat Indicators
For Emotet document/downloader URLs, we recommend the Cryptolaemus lists: https://paste.cryptolaemus.com 
 
Emotet / Trickbot email lure subject lines:
 
9100091 Canada Inc.
{First Name} {Last Name}
{Company Name} SIGNS PAYMENT NOTIFICATION 10.14.2020
{Last Name}, {First Name} Payment Summary - Ref Id: D504336
RE: Title conditions 
{Last Name}, {First Name}
my visit and call
RE: {Company Name}
upcoming commercials for approval- {Redacted}
RE: {Company Name} URGENT sept 19th if possible- please read email
Borrowing Base Certificate, A/R Aging, and Inventory listing from {Company Name}?
{Last Name}, {First Name}
Re: File # {Redacted}, Loan # {Redacted}, {Company Name}, {Address}
{Last Name}, {First Name}
{Last Name} {First Name}
{Last Name} and {Company Name} Back to Back 3-point games STAT
October Statement - {Company Name}
Payment Advice - ACH Transfer Notification - Ref:[Redacted] / ACH credits
Payroll - {Company Name}
Please approve - {Company Name}
Potential {First Name} {Last Name} Shutout STAT
Purchase Order  -  {Redacted} TSA from {Company Name}
RE: {First Name}, i'm waiting for a call
RE: {First Name}, office meeting
RE: {Last Name}
Re: Automatisch antwoord: {Redacted}  {First Name} {Last Name}  ---- BWA 03-2019
Re: {First Name} {Last Name}
RE: {Company Name}
RE: {Redacted} - {Company Name} du 30 mars au 2 avril 2020
RE: {Company Name} termination list
RE: {Company Name} - Bonus
RE: {First Name}, your task list
RE: {Company Name} URGENT sept 19th if possible- please read email
RE: {Redacted} Card, Monthly Payments
RE: Purchasing Card documents 
RE: {Company Name} - {Redacted} 
RE: Re: Brick for {First Name}
RE: RE: Enrollment Form for New Employee
Re: RE: EXTERNAL: Delivery 11-07-19
Re: RE: Loan Request
Re: RE: Local/Indy Radio Show
Re: RE: {Redacted} cARD
RE: RE: returned check NSF
RE: Report for {First Name}
RE: {Last Name}
RE: Securemail Payoff amounts needed
RE: {Company Name} Bank Employee Survey
revised commercial
{Company Name} Advisors Access Online
March Statement - {Company Name}
Please approve
{First Name} {Last Name} Online Payment - Ref Id: {Redacted}
RE: {First Name}, debit confirmation
Re: debit
RE: my call
Re: my visit and call
 
Additional Resources:

 

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Subscribe to Email Updates

Posts by Topic

see all