On October 28th, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Department of Health and Human Services (HHS) released a joint advisory as previously reported in SATNews. Since the advisory, there have been at least 12 Healthcare organizations that have been targeted in this campaign. Monitoring this campaign should be a top concern for healthcare organizations.
The threat actors have been seen using Trickbot and BazarLoader malware, which leads into a ransomware attack (Ryuk), data theft, and a disruption in healthcare services.
The following healthcare organizations have been targeted:
Sky Lakes Medical Center
St. Lawrence Health Systems, Canton-Potsdam Hospital
St. Lawrence Health Systems, Massena Hospital
St. Lawrence Health Systems, Gouverner Hosptial
Wyckoff Heights Medical Center Brookyln
Ridgeview Medical Center
University of Vermont Health Network
UVM Medical Center
Alice Hyde Medical Center
Central Vermont Medical Center
Champlain Valley Physicians Hospital
Elizabethtown Community Hospital (Elizabethtown, NY)
DeRoyal Industries, Medical Supplier
Dickenson County Health System
Sonoma Valley Hospital
CIUSSS (Centre-Ouest-de-l’Ile-de-Montréal)
The original joint advisory can be found here: https://us-cert.cisa.gov/ncas/current-activity/2020/10/28/ransomware-activity-targeting-healthcare-and-public-health-sector
Technical information including tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) can be found here: https://us-cert.cisa.gov/ncas/alerts/aa20-302a
Nuspire is actively threat hunting in our client environments for the above TTPs and IOCs.