HHS tells hospitals to guard against Ryuk ransomware attack: 10 things to know

HHS released important updates on the Ryuk ransomware, which is suspected in the recent cyberattack at King of Prussia, Pa.-based Universal Health Systems hospital.

Ryuk ransomware is an encryption used by individuals to lock information within an organization's computer system.

The information HHS released Sept. 29 urges organizations to take action to reduce the risk of attack, according to an American Hospital Association report.

Here are 10 things to know about Ryuk, based on the information from HHS and a report from Bleeping Computer.

1. Ryuk typically begins attacks at night to encrypt systems before detection. It encrypts files using RSA-2048 and AES-256, and it can download additional exploitation tools.

2. Ryuk has been known to target network-connected devices, mounted devices and remote hosts. It stores keys in the Microsoft SIMPLEBLOB format.

3. When discovered, Ryuk shuts down all systems so more devices aren't locked.

4. Files are often renamed to include ".ryk" which is the extension Ryuk uses.

5. Computer screen displays are changed and may include a note such as "Shadow of the Universe," which UHS employees reported. The note is similar to a phrase typically at the end of Ryuk ransom notes.

6. Ryuk may begin as a phishing email attack that installs malware on the victim's computer and paves the way for Ryuk operators. According to HHS, it is often deployed with TrickBot and Emotet malware.

7. After gaining access to the system and administrator credentials, Ryuk places ransomware payloads on network devices through PowerShell Empire, according to the report.

8. Ryuk's decryptor may corrupt certain files even if the ransom is paid.

9. Ryuk originated in North Korea and has links to Russian cybercriminal groups, according to HHS and based on reporting by CrowdStrike and FireEye which are cybersecurity firms.

10. Ryuk ransom payments have been documented as 10 times more than other ransomware.

HHS lists Ryuk defense and mitigations here.

Register today for Becker's HIT+RCM Virtual Event Oct. 6-9 for the best insights and big ideas in health IT!

More articles on cybersecurity:
At nearly $7M, Premera Blue Cross agrees to pay 2nd largest HIPAA fine in OCR history
Geisinger warns of phone spoofing scams, launches digital info hub
12 health system malware, ransomware and phishing incidents this month

© Copyright ASC COMMUNICATIONS 2020. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.