Threat Level Description

Threat Level: High – An attack is highly likely. Additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgments on acceptable risk.

 

Description 

We have observed a rise in ransomware attacks targeting hospitals, Health Care institutions and Insurance organizations in Middle East and US.

These attacks could result not only in money extortion, but also in Critical Data exposures such as leakages of patients’ files (profile, medical history, social number), financial and legal documents.

We have identified that two ransomware families are commonly used by the threat actors during these campaigns:

•  Rhysida Ransomware
•  LockBit 3.0 Ransomware

Rhysida ransomware usually arrives on a victim’s machine via phishing attacks, then “Cobalt Strike” red team payloads are used for lateral movement within the network.

Additionally, threat actors leverage “PsExec” to deploy PowerShell scripts and the Rhysida ransomware payload. PowerShell scripts are used to terminate antivirus-related processes and services, delete shadow copies, modify remote desktop protocol (RDP) configurations, and change the active directory (AD) password.

Rhysida ransomware employs a 4096-bit RSA key and AES-CTR for file encryption. After successful encryption, it appends the “.rhysida” extension and drops the ransom note CriticalBreachDetected.pdf.

LockBit 3.0 Ransomware leverages disclosed flaws such us vulnerabilities in Fortra GoAnywhere Managed File Transfer (MFT) and PaperCut MF/NG servers as well as other known bugs like Apache Log4j2, F5 BIG-IP and BIG-IQ, and Fortinet devices, to obtain initial access.

Once the attackers obtain a foothold into a target network, they try to extract credentials through LSASS (Local Security Authority Subsystem Service) dumps to facilitate further lateral movement within the network and elevate their privileges.

Ransomware remains an actively evolving ecosystem, witnessing frequent shifts in Tactics, Techniques and Procedures and also targeting different industries.

There appear to be two broad types of ransomware strategies: those aiming to steal and sell PHI and those aiming to cause maximum mayhem in the hopes of a ransom pay-out by leveraging also Data Extortion.

 

CVE(s)

 

Affected Systems 

• N/A

 

Recommendation(s) 

Organizations should have an Incident Response Preparedness Plan and anticipate, adapt and quickly recover from disruptive threats.

The guidelines below will help you protect against Ransomware and its associated security threats:

• Ensure all systems are patched and upgraded with the latest system versions and security patches in place.
• Back up your data. The single biggest thing that will defeat ransomware is having a regularly updated backup.
• Consider enabling the “Show hidden file-extensions”. One way that ransomware such as Cryptolocker frequently arrives is in a file that is named with the extension “.PDF.EXE”, counting on Window’s default behavior of hiding known file-extensions.
• Filter executable files in email. If your email gateway has the ability to filter files by extension, you may wish to deny mails sent with “.exe”, “.scr”, “.bat” files, or to deny mails sent with files that have two file extensions, the last one being executable.
• Disable files running from AppData/LocalAppData folders. You can create rules within Windows or with Host Intrusion Prevention software, to disallow a particular, notable behavior used by ransomware, which is to run its executable from the App Data or Local App Data folders.
• Disable macros in Microsoft Office files. Most people may not be aware that Microsoft Office Files are like a file-system within a file system, which includes the ability to use a powerful scripting language to automate almost any action you could perform with a full executable file. By disabling macros in Office files, you deactivate the use of this scripting language.
• Do not open e-mail from unknown sources. Be suspicious of emails purporting to be from financial institution, government department, or other agency requesting account information, account verification or banking access credentials sush as usernames, passwords, PIN codes, and similar information. Opening file attachments od clicking on web links in suspicious emails could expose your system to malicious code that could hijack your computer.
• Never respond to a suspicious email or click on any hyperlink embedded in a suspicious email. Call the purported source if you are unsure who sent an email.
• If an email claiming to be from your financial organization seems suspicious, checking with your financial organization may be appropriate.
• Keep your antivirus up to date and use real time protection.
• It is also recommended to implement a Security Awareness program, addressed to all your management and staff, designed to increase the level of understanding regarding Social Engineering and security threats in general.

Finally, in case that a system is compromised, it should be immediately removed from the network.

 

References 

https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/ 

 https://thehackernews.com/2023/08/lockbit-30-ransomware-builder-leak.html

 https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html

  https://www.cysecurity.news/2023/08/rhysida-ransomware-group-social.html

 https://www.bleepingcomputer.com/news/security/rhysida-claims-ransomware-attack-on-prospect-medical-threatens-to-sell-data/

 IthacaLabs Incident Response and Threat Intelligence Services