Universal Health Services (UHS), a Fortune 500 healthcare service provider, with over 400 health facilities worldwide has been hit with a cyberattack early Sunday morning on September 27, 2020. The attack spread across the UHS network in US facilities, causing them to shutdown systems in multiple locations. Phone and computer systems in locations including Texas, California, Washington D.C, Florida, and Arizona were inaccessible, according to UHS employees.
Ambulances were redirected during the attack and patients who were in need of surgery were relocated to other hospitals. Employees were instructed to shut down all systems to prevent further spread across devices on the network. Some locations were forced to revert to pen and paper documentation, which requires more effort to protect patient information, according to UHS employee’s reports to WIRED.
There has been no official notice from UHS regarding the culprit of the attack, but employee reports all point to a ransomware called Ryuk. Bleeping Computer, who reported the attack early on, spoke to UHS employees. To avoid detection, it launched during the early morning then encrypted as many systems it could reach, before being shut down after discovery. “Multiple antivirus programs were disabled by the attack and the hard drives lit up with activity. After a minute or so, the computers shutdown, and were stuck in a boot cycle.” Employees said computer screens changed to display a ransom note reading “Shadow of the Universe,” a similar phrase to the one found in the Ryuk ransomware notes “balance of shadow universe.” Files were also being renamed to end in the .ryk extension used by Ryuk.
UHS is one of the largest healthcare providers in the US, with reported annual revenue of $11.4 billion in 2019. The Ryuk rasonware is known to target large corporate entities to extort hefty ransoms.
According to Vitali Kermez from Advanced Intel, their Andariel intelligence platform detected Emotet and Trickbot trojans disturbing UHS. Trickbot is distributed through Emotet and other malware spam campaigns. These campaigns pretend to be legitimate companies such as Deloitte and Llyods Bank, and sends emails with malicious documents masquerading as payroll schedules. When these documents are opened and when marcos are enabled, Trickbot and other malware are downloaded and installed and used to send more spam emails further propagating the campaign. Trickbot has been observed to perform many activities with goal of installing Ryuk. These include, Powershell scripts connecting to remote hosts, anti-logging scripts executing on the target, network reconnaissance through Windows command line, lateral movement through Remote Desktop Protocol(RDP), and Batch scripts to terminating and removing backups. Empire, an obfuscated PowerShell exploitation toolkit that connects back to the attackers was typically used. It allows attackers to avoid detection and distribute payloads. It was also used to obtain credentials of other machines to install malware and Ryuk.
Breaking Down Ryuk
Ryuk was first seen in 2018 and was first linked to North Korea because of its similar code base to Hermes. Hermes is a ransomware that was originally sold on forums for $300 USD. It was used by in an attack on a Taiwan Bank with its attackers attributed to North Korea. Researchers from Crowdstrike believe that the actors of Ryuk originate from Russia. It apparently contains code that would not encrypt systems with languages set to Russian, Ukrainian, or Belarusian. According to Crowdstrike, Ryuk is divided into two binaries, a dropper and the executable payload. The dropper constructs an installation path, based on the operating system version and whether host is 32 or 64-bit, it then writes the payload executable. This executable contains the instructions for file encryption. Contrary to other malware, Ryuk has little protections to ensure host stability. Its encryption whitelist which describes what files and extensions to not encrypt is rather short, causing integral system files to be encrypted. This is likely why UHS employees were reporting machines crashing and unrecoverable boot loops. Ryuk uses RSA-2048 and AES-256 for file encryption, encrypting mounted devices and drives. The executable terminates by deleting files based on extensions or folders that deal with backups.
Ransomware rise in 2020
Cyberattacks have seen a surge this year, especially with the pandemic compelling many corporations to expand remote work, widening the attack surface for threat actors. In particular, ransomware has seen a rise of seven-fold compared with last year, according to a Mid-Year Threat Landscape Report by Bitdefender. Threat actors are attempting to encrypt as much as possible on large corporations with intent to obtain bitcoin currency. One success, could result in a score of millions. Ransomware has not only seen an increase of prevalence, but also continued evolution. GandCrab, the most prolific malware of 2019, was shut down by its organizers, since then, new families have emerged. A number of threat groups tend to focus on larger corporations, as it can be seen in the malware that actors use, which target domain controllers and advanced backups solutions, things that are likely to be found in enterprises. In many cases, attackers are following through with their threats to leak stolen data. This builds their standing to shows that they are not bluffing when it comes to their claims in doing so. Some ransomware groups have vowed to spare hospitals during the pandemic, but this Ryuk group has not.
