Analysis: Tactics of the Groups Attacking Hospitals with Ransomware
The situation has gotten so bad that the federal cybercrime agencies warned in October of additional “imminent” attacks against hospitals and medical centers.
There’s not much mystery about their objective. By hurting hospitals at the worst possible time (as they struggle with overcrowded emergency rooms and intensive-care units), the hospitals are more likely to pay the ransom to restore their data as quickly as possible.
But how these groups are waging their attacks is something that deserves close attention.
Who is UNC1878?
UNC1878 is one of the primary groups known to be behind the ransomware attacks on U.S. hospitals.
UNC1878 is an Eastern European group that is also known as Wizard Spider. (“UNC” is shorthand for “Uncategorized,” as coined by security analyst group Mandiant. Mandiant found that the group is behind roughly 1 in every 5 attacks using Ryuk ransomware, which is commonly used in attacks on hospitals.
UNC1878 was first identified in January 2020, but went largely under the radar for most of the year. That changed in September of 2020 when the group resurfaced and began aggressively targeting hospitals across the healthcare industry, as well as other vulnerable organizations, such as retirement communities.
Despite the fact that there is an ongoing global pandemic—and indeed because of it—the group has been specifically going after organizations that provide some form of care to individuals.
What We Know So Far
UNC1878 has hit more than 20 healthcare facilities with a specific type of ransomware called Ryuk.
Experts suspect the group may have been behind the attack on Universal Health Services in September – one of the worst attacks on the U.S. healthcare system to date, affecting more than 400 facilities nationwide. More recently, UNC1878 was believed to be behind the attack on the University of Vermont Health Systems, which forced its Burlington hospital to temporarily stop taking trauma patients and divert them to other facilities.
Ryuk-based ransomware attacks have become so commonplace that the United States Cybersecurity and Infrastructure Security Agency has specifically called it out as a top threat to hospitals. Groups using Ryuk have been using increasingly advanced software over the last few years, making them harder to stop. (However, as we outline below, most attacks still rely on deceiving users to initially break into networks.) One of their tactics is the use of TrickBot – one of the world’s largest botnets, which collectively harnesses the power of numerous infected computers to spread its infections outward across networks.
Even though Microsoft and other agencies, such as the United States Cyber Command, recently took down some of Trickbot’s “command and control servers” around the world, the botnet is still active and just as dangerous.
Let’s take a closer look at how UNC1878 hits various hospital systems. Using the Bazar malware system, also known as Team 9, UNC1878 leverages a variety of tools in conjunction with TrickBot to deliver Ryuk ransomware’s payload to its target.
The Anatomy of a Ransomware Attack from UNC1878
Ransomware attacks are more successful when the attackers are able to gain information about their target, such as its security practices (or lack thereof), networks and so on. This is what differentiates a targeted attack from one that is mass-distributed at random with bulk spam emails.
Like many ransomware attacks, UNC1878 usually initiates an attack on its target with a phishing campaign. The phishing campaign is used to gain login credentials for the hospital’s network. Then, they use this information to learn everything they can about the hospital, its networks, its servers and how they work.
Usually, UNC1878’s phishing emails contain links to a shared Google Docs document or PDF. The document then contains a link to a URL that hosts the malware payload.
Spotting a Phishing Attack
Similar to most phishing campaigns, UNC1878’s emails typically masquerade as some form of generic corporate communications. Examples of information they may contain:
- Sensitive documents related to the healthcare system
- Information regarding phone call terminations
- Questions about bonuses
- Work schedule issues
- Surveys regarding the company culture
- Questions about business hours
Emails may contain the name of the recipient or the name of the employer somewhere in the subject line or email body, making them even more deceptive. In highly targeted attacks, they can be even more personalized and convincing.
The unsuspecting victims click on the links and attempt to log in to view the document, thus surrendering their credentials and providing the attackers with the access they need. Or, they visit a legitimate Google document, and when they click the malicious link in the document, it executes a loader for the malware to be delivered.
The Attack Unfolds
The loader downloads Cobalt Trike Beacon or Powertrick to establish a presence in the network. Then, these systems are able to communicate with the botnet’s command and control server, which controls the entire operation. Cobalt Strike Beacon is more common, and Powertrick is usually used to perform reconnaissance regarding the host. Usually, UNC1878 is able to maintain its presence in the network by creating a scheduled task, creating a Microsoft BITS job or adding itself as a shortcut to the startup folder.
The malware will also use stolen login credentials to gain more privileges, escalating its presence across the network. At this point, phishing emails are no longer needed, as the malware can gain access to systems where credentials are stored. Researchers at Mandiant say that UNC1878 obtains the credentials using MimiKatz via exported copies of the ntds.dit Active Directory database and registry hives from a Domain Controller.
The Infection Spreads
The malware moves laterally through the system using a variety of methods, including Cobalt Strike Beacon. This establishes a foothold on the network as it delivers the Ryuk ransomware. The attack then unfolds much like any other ransomware infection, encrypting files on servers and PCs across the network.
The encryption typically makes the files completely unusable. For hospitals, that can mean losing access to virtually all data and computer systems: email, network access, patient records, schedules and the devices themselves. Without access to these critical systems, hospitals are often forced to revert to paper, postpone procedures and stop accepting new patients – decisions that can literally be life-threatening.
Once the attack has encrypted all of the files, the attackers will immediately conceal evidence by deleting their tools from the host site.
As with most ransomware attacks, UNC1878’s malware will demand a ransom in exchange for decryption keys to unlock the files. On-screen instructions explain how to pay the ransom via cryptocurrency, which typically makes it untraceable.
While some healthcare providers ultimately decide to pay the ransom in a last-ditch effort to restore their critical systems, doing so is a gamble. There’s no guarantee that UNC1878 or any other hacker group will deliver the decryption keys. Federal authorities strongly advise not paying the ransom and have recently threated sanctions for doing so, as it only bolsters the ransomware market and may even support foreign adversaries and terrorist groups.
Ransomware Prevention & Recovery for Hospitals
It can be incredibly difficult for unprepared hospitals to recover from a widespread ransomware attack. Aside from the impact on patient care, attacks are extremely costly. And in the long term, they can result in a tremendous breach of patient trust. Thus, it’s imperative for healthcare organizations to do everything possible to prevent an attack and ensure a fast recovery if an infection occurs.
Here are some of the most important steps:
- First, all hospitals and healthcare systems need to make sure that they maintain offline, encrypted backups of their data. It is important to test the efficacy of these backups on a regular basis. Backups need to be separated from the network so that ransomware attacks do not destroy backup copies of the data as well. Backups should also be stored off-site, in addition to locally, in the event that local backups become compromised.
- It is also important for hospitals to create and maintain a cybersecurity breach response plan (or a disaster recovery plan with a specific section on cyberattacks and ransomware). There needs to be a detailed communications plan that includes the notification tree and how personnel should respond to a ransomware incident.
- Hospital staff (including physicians, administrators and all other personnel) must know exactly what they are going to do if their critical information systems are inaccessible for a certain amount of time. For example, if devices must be powered down or disconnected from the network to prevent an infection from spreading, they need to know these procedures. Train staff periodically on these steps, as well as safe practices for using web & email (including tips for identifying phishing attacks), to help reduce the risks of an infection in the first place.
- Bolster cybersecurity systems and processes by following the latest guidance for preventing a ransomware attack.
BC/DR with Built-In Ransomware Protection
Choosing the right type of backup system is critical for a hospital to be able to recover from a ransomware attack.
The Datto SIRIS helps healthcare organizations rapidly restore their systems back to normal with fast recovery options, resilient backup technology, hybrid-cloud backup storage and instant virtualization. Additionally, the system includes built-in ransomware protection, which scans each new backup for ransomware, so that admins can act quickly at the first signs of an infection.
For healthcare systems to maintain continuity after a ransomware attack, this protection is absolutely vital.