Healthcare organizations are the leading target for cybercriminals due to the perceived high value of data obtained on a successful attack. The number of cyber-attacks on healthcare organizations has been increasing exponentially over the past few years, with the intensity of attacks hitting its bar in the second half of 2020. On October 28, 2020, the federal government released a report concerning an attack on six hospitals in the United States over a period of 24 hours beginning October 26, 2020. In the report, the federal government identified the ransomware responsible for the attack as Ryuk Ransomware.
It noted that a list of 400 hospitals targeted by the ransomware had circulated among Russian hackers. Ryuk Ransomware encrypts information within the computer system of an organization, making it unusable. The hospitals that reported outages following the attack include Sky Lakers Medical Center, which was forced to purchase 2 000 new computers in the recovery process. Other hospitals that were affected include Klamath Falls and St. Lawrence Health System, among others whose names were not revealed.
How Ryuk Ransomware Infects a System
The user receives a phishing email that, when clicked, downloads a Trojan that paves the way for Ryuk operators. After being downloaded into the system, the malware spreads itself internally to other machines over SMBv1 and steals the system and administrator credentials which it transmits to the attacker. The Trojan then gives the attacker the command and control of victim machines, allowing them to push Ryukransomware into the system.
After gaining access and taking control over the system, Ryuk places ransomware payloads on the devices connected to the affected network through PowerShell Empire. It establishes persistence and deletes backups as well as shadow files before initiating the file encryption process. The ransomware then begins downloading additional exploitation tools while at the same time encrypting files using RSA-2048 and AES-256. The files are renamed to include a .ryk, an extension used by Ryuk. Finally, the display on computer screens is changed; in most cases, they display a note “Shadow of the Universe,” a typical Ryuk phrase.
X-PHY Protection Method
Ryuk attack initiates by user action involving downloading Trojan into a system device, creating a backdoor, which gives the attackers command and control over the compromised system. At this point, your files’ safety relies on the NAND level protection only offered by X-PHY AI Cyber Secure SSD. X-PHY trusts no one and will always be your last line of defense to protect your valuable data.When Ryuk gets into the storage, X-PHY detects it, raising an alarm and initiating lockdown to keep data safe.
The SECURITY SCOUT and GUARDIAN PRO-X features of the X-GUARD THREAT LOCK perform continuous security checks on the storage device to detect any anomalies in the device activity. In this case, the first course of action taken by the malware involves stealing and sending system and administrator credentials to the attacker. These operations will lead to increased read operations which surpasses the normal read operations in the Nand flash. The trained AI algorithm will detect an abnormal increase in the read operations associated with stealing of system and administrator credentials. As such, it will classify this activity as malicious, triggering the X-Factor Encryption lock feature to initiate system lockdown and raise an alert. The lockdown will prevent Ryuk from accessing Nand flash, keeping system data safe, and stopping the attack.