Law Enforcement Finds Credible Evidence of Pre-Election Ransomware Attack

Late yesterday, U.S. law enforcement authorities began warning of credible information suggesting there will be a widespread Ryuk ransomware attack this weekend in advance of the presidential election. The attack will be focused primarily, though not exclusively, on healthcare entities. The attack could lead to data theft and massive disruption of healthcare services for enterprises whose resources are already spread thin by COVID-19.

We rarely see such a large confluence of warnings from law enforcement authorities, cyber insurance executives, and cybersecurity experts. A leading cybersecurity expert at Mandiant who we trust and work with regularly has described the threat as “the most significant cyber security threat we’ve ever seen in the United States.”

If you are a targeted enterprise, you likely already have the ransomware malware on your systems, and the threat actors are waiting to command it to activate. This alert will help you learn more about the threat, how to identify it and how to mitigate it.

What Is The Risk?

An FBI alert and an article by leading cybersecurity journalist Brian Krebs explains the threat in greater detail, but in short, a Russian-speaking criminal gang is threatening to launch Ryuk ransomware attacks through Trickbot malware. Trickbot activities include credential harvesting, email exfiltration, crypto-mining, point-of-sale data exfiltration and the deployment of ransomware such as Ryuk.

The FBI is warning about a specific Trickbot module called Anchor, which is often used in attacks against large companies. Anchor_DNS is a backdoor that allows victims’ machines to communicate with command-and-control servers over DNS to evade typical network defense products and make their malicious communications blend in with legitimate DNS traffic. The FBI provides this piece of advice: “Anchor_DNS uses a single-byte XOR cipher to encrypt its communications, which have been observed using key 0xB9. Once decrypted, the string Anchor_DNS can be found in the DNS request traffic.”

The FBI alert lists the Trickbot Indicators of Compromise (i.e., the files used to launch a ransomware attack) to help you identify whether you are already under attack.

How To Identify and Prepare For The Risk

Your organization can take the following steps immediately to prepare for and perhaps mitigate the risk from an operational, legal and InfoSec/IT perspective:

  • Update your antivirus solutions. Make sure that you are using the most up-to-date version of your antivirus solutions, many of which are being updated to search for the specific indicators of compromise that the FBI has identified.
  • Scan your system for indicators of compromise. Ideally, this should be done by a third-party cybersecurity expert specializing in ransomware attacks. We are happy to recommend one of our cybersecurity partners.
  • Ensure that you have a secure, air-gapped backup of your data in place. If you experience a ransomware attack you will likely have only two options: (1) restore your systems from backup or (2) pay the ransom. If the ransomware impacts your backup system, as is increasingly the case, the disruption and cost to your organization will be significant. Make sure your backup system is air-gapped (i.e., offline, disconnected and separated from your remaining systems). Also, determine how to quickly restore your systems if they were to become unavailable and consider engaging a restoration vendor now to assist you should you need them.
  • Be ready to contact your cybersecurity partners. This means your insurance carrier/broker, your forensic expert, your legal counsel, a restoration firm and a ransomware threat negotiation firm. Have an email address and phone number ready for specific points of contact with each of them and ensure that the points of contact will be ready to help over the weekend. Hopefully this information is already in your up-to-date incident response plan.
  • Engage your third-party forensic firm under privilege. At the very least, you should ensure that you have a Master Services Agreement in place with your third-party forensic firm, and potentially even a Statement of Work (SoW). The SoW may need to build in privilege and work product protection, so be sure to do that now. You must also confirm now that the forensic provider will be available to help you should you need it over the coming days. If you cannot get such a commitment, consider engaging a backup provider
  • Strengthen your authentication procedures. Ransomware attacks often happen because the threat actors obtained access to legitimate credentials and misused them. These credentials could have been obtained via reconnaissance in your systems or purchased on the Dark Web. To minimize this risk, you might consider a global password reset and further increasing the use of multifactor authentication for any system that maintains sensitive information.
  • Prepare public relations holding statements. If you are the victim of a ransomware attack, you will immediately receive questions from employees, officers, board members, patients/customers, business partners, media and regulatory authorities. Having prepared statements ready now that can be tailored when an attack occurs can help minimize the strain on valuable public relations resources.
  • The U.S. government has recommended that organizations (particularly healthcare covered entities and business associates) implement the following measures immediately:
  • Establish and practice out of band, non-VoIP, communications.
  • Rehearse IT lockdown protocol and process, including practicing backups.
  • Ensure backup of medical records, including electronic records and have a 321-backup strategy – have hard copy or remote backup or both.
  • Expedite patching response plan (IRP) within 24 hours.
  • Prepare to maintain continuity of operations if attacked.
  • Review plans within the next 24 hours should you be hit.
  • Power down IT where not used.
  • Know how to contact federal authorities when phones are down, or email has been wiped.
  • Consider limiting/powering down non-essential internet-facing IT services.
  • Limit personal email services.
  • Be prepared to reroute patients if patient care is disrupted due to IT outage.
  • Ensure sufficient staffing to maintain continuity of operations with disrupted IT networks.
  • Report all potentially related cyber incidents to the FBI 24/7 CyberWatch Command Center at (855) 292-3937.

Next Steps

Shook’s Incident Response Task Force will continue to monitor developments. If you have specific questions or need assistance with any issues relating to ransomware attacks, please do not hesitate to reach out to any member of Shook’s Privacy & Data Security Team.