TLP:WHITE
Some good news during this period of ransomware attacks against healthcare providers, hospitals and life science organizations is that mitigation strategies and counter measures are available.
CISA, FBI, and HHS recently recommended that healthcare organizations immediately implement proactive ransomware counter measures, such as joining healthcare information sharing organizations, specifically Health-ISAC.
JOINT CYBERSECURITY ADVISORY:
Ransomware Activity Targeting the Healthcare and Public Health Sector
Note: This advisory was updated on October 29, 2020 to include information on Conti, TrickBot, and BazarLoader, including new IOCs and Yara Rules for detection.
This advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) version 7 framework. See the ATT&CK for Enterprise version 7 for all referenced threat actor tactics and techniques.
SUMMARY
This joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS). This advisory describes the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health Sector (HPH) to infect systems with ransomware, notably Ryuk and Conti, for financial gain.
CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers. CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.
Key Findings
• CISA, FBI, and HHS assess malicious cyber actors are targeting the HPH Sector with TrickBot and BazarLoader malware, often leading to ransomware attacks, data theft, and the disruption of healthcare services.
• These issues will be particularly challenging for organizations within the COVID-19 pandemic; therefore, administrators will need to balance this risk when determining their cybersecurity investments.
Access full joint alert here:
https://us-cert.cisa.gov/ncas/alerts/aa20-302a
GENERAL RANSOMWARE MITIGATIONS — HPH SECTOR
This section is based on CISA and Multi-State Information Sharing and Analysis Center (MS-ISAC)’s Joint Ransomware Guide, which can be found at https://www.cisa.gov/publication/ransomware-guide.
CISA, FBI, and HHS recommend that healthcare organizations implement both ransomware prevention and ransomware response measures immediately.
Ransomware Prevention Join and Engage with Cybersecurity Organizations CISA, FBI, and HHS recommend that healthcare organizations take the following initial steps:
• Join a healthcare information sharing organization, H-ISAC:
o Health Information Sharing and Analysis Center (H-ISAC): https://hisac.org/membership-account/join-h-isac/
o Sector-based ISACs – National Council of ISACs: https://www.nationalisacs.org/member-isacs
o Information Sharing and Analysis Organization (ISAO) Standards Organization: https://www.isao.org/information-sharing-groups/
• Engage with CISA and FBI, as well as HHS
—through the HHS Health Sector Cybersecurity Coordination Center (HC3)—to build a lasting partnership and collaborate on information sharing, best practices, assessments, and exercises.
o CISA: cisa.gov, https://us-cert.cisa.gov/mailing-lists-and-feeds, central@cisa.gov
o FBI: ic3.gov, www.fbi.gov/contact-us/field , CyWatch@fbi.gov
o HHS/HC3: http://www.hhs.gov/hc3, HC3@HHS.gov
Engaging with the H-ISAC, ISAO, CISA, FBI, and HHS/HC3 will enable your organization to receive critical information and access to services to better manage the risk posed by ransomware and other cyber threats.
Read pdf of full joint alert and entire list of mitigations here:
AA20-302A_Ransomware _Activity_Targeting_the_Healthcare_and_Public_Health_Sector