The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert this week with regards to an imminent cybercrime threat to US hospitals and healthcare providers. The alert was coauthored by CISA, the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS), regarded the use of Ryuk and Trickbot malware to perform ransomware behavior at a massive scale. The report was later updated to include the use of Conti ransomware and BazarLoader malware.
The group behind this attack is a financially motivated adversary, labeled as UNC1878 by FireEye Mandiant, that leverages the RYUK Ransomware to encrypt target environments and extort their victims. The group primarily leverages KEGTAP for initial access, ultimately resulting in Cobalt Strike beacon payload deployment and RYUK Ransomware encryption. The most significant component of this group’s operations is the speed at which they transition from initial access to Ransomware deployment, with some environments following the full lifecycle of the attack in just over two days.
Threat Overview
Trickbot
Trickbot was first discovered in the wild in 2016. Although Trickbot started out as a banking trojan, it has more recently evolved to become a multi-purpose downloader, used to download additional malware in order to steal sensitive information such as credentials and emails, as well as running ransomware such as Ryuk.
BazarLoader/BazarBackdoor/KEGTAP
BazarLoader/BazarBackdoor (also referred to as KEGTAP) is thought to be a derivative of Trickbot. Similar to Trickbot, BazarLoader is typically distributed via phishing campaigns containing malicious links or attachments that contain the malware.
RYUK
The Ryuk family of malware has been tracked for multiple years as targeted toward organizations for ransomware. Over time Ryuk has gone through periods of inactivity during which it is suspected that its operators perform reconnaissance on potential victims and improve their tooling.
Conti
Conti ransomware discovered by VMware Carbon Black Threat Analysis Unit (TAU) in June 2020, is thought to be related to Ryuk ransomware due to similarities in the code. Conti introduced a much faster encryption algorithm using up to 32 threads, a novel ability of targeting only network SMB shares for provided IP addresses, as well as a new technique that makes use of the Windows Restart Manager.
ZeroLogon Vulnerability
CVE-2020-1472, otherwise known as ZeroLogon, is a critical vulnerability affecting Microsoft Windows operating systems. The Department of Homeland Security (DHS) recently issued an emergency directive due to the criticality of this vulnerability. Although Microsoft released a patch on August 11, 2020, Ryuk threat actors have reportedly exploited unpatched servers in order to escalate privileges by resetting the password of the primary domain controller.
Conclusion
Ransomware infections are often only one piece of the attack kill chain. A multi-stage approach is often used as part of sophisticated attacks. Phishing emails are commonly used to deliver the initial payload, backdoor or loader, such as in the case of Trickbot and BazarLoader. Additional tools such as Cobalt Strike, Metasploit or PowerShell Empire may be used to further maintain access, move laterally, or scrape credentials. Ransomware such as RYUK and Conti are then distributed across the network for maximum impact.
Following the CISA alert, several U.S. hospitals have already been targeted with ransomware attacks this week. We have advised VMware Carbon Black customers to ensure they have enabled the Ransomware prevention controls available within VMware Carbon Black Enterprise Standard.
For a detailed breakdown of the MITRE ATT&CK TIDs, please see the table below. To learn more about the VMware Carbon Black TAU, please visit: Threat Analysis Unit.
MITRE ATT&CK TIDs
The table below includes all behavioral MITRE TID’s for Trickbot, RYUK and Conti.
| TID | Tactic | Description |
| T1087.001 | Discovery | Account Discovery: Local Account |
| T1087.003 | Discovery | Account Discovery: Email Account |
| T1071.001 | Command and Control | Application Layer Protocols: Web Protocols |
| T1059.003 | Execution | Command and Scripting Interpreter: Windows Command Shell |
| T1543.003 | Persistence, Privilege Escalation | Create or Modify System Process: Windows Service |
| T1555.003 | Credential Access | Credentials from Password Stores: Credentials from Web Browsers |
| T1132.001 | Command and Control | Data Encoding: Standard Encoding |
| T1005 | Collection | Data from Local System |
| T1140 | Defense Evasion | Deobfuscate/Decode Files or Information |
| T1482 | Discovery | Domain Trust Discovery |
| T1573.001 | Command and Control | Encrypted Channel: Symmetric Cryptography |
| T1041 | Exfiltration | Exfiltration Over C2 Channel |
| T1008 | Command and Control | Fallback Channels |
| T1083 | Discovery | File and Directory Discovery |
| T1562.001 | Defense Evasion | Impair Defenses: Disable or Modify Tools |
| T1105 | Command and Control | Ingress Tool Transfer |
| T1056.004 | Collection, Credential Access | Input Capture: Credential API Hooking |
| T1185 | Collection | Man in the Browser |
| T1036 | Defense Evasion | Masquerading |
| T1112 | Defense Evasion | Modify Registry |
| T1106 | Execution | Native API |
| T1571 | Command and Control | Non-Standard Port |
| T1027.002 | Defense Evasion | Obfuscated Files or Information: Software Packing |
| T1069 | Discovery | Permission Groups Discovery |
| T1566.001 | Initial Access | Phishing: Spearphishing Attachment |
| T1566.002 | Initial Access | Phishing: Spearphishing Link |
| T1055.012 | Defense Evasion, Privilege Escalation | Process Injection: Process Hollowing |
| T1018 | Discovery | Remote System Discovery |
| T1053.005 | Execution, Persistence, Privilege Escalation | Scheduled Task/Job: Scheduled Task |
| T1553.002 | Defense Evasion | Subvert Trust Controls: Code Signing |
| T1082 | Discovery | System Information Discovery |
| T1016 | Discovery | System Network Configuration Discovery |
| T1033 | Discovery | System Owner/User Discovery |
| T1007 | Discovery | System Service Discovery |
| T1552.001 | Credential Access | Unsecured Credentials: Credentials in Files |
| T1552.002 | Credential Access | Unsecured Credentials: Credentials in Registry |
| T1204.002 | Execution | User Execution: Malicious File |
| T1036.005 | Defense Evasion | Masquerading: Match Legitimate Name or Location |
| T1055 | Defense Evasion, Privilege Escalation | Process Injection |
| T1057 | Discovery | Process Discovery |
| T1134 | Defense Evasion, Privilege Escalation | Access Token Manipulation |
| T1486 | Impact | Data Encrypted for Impact |
| T1489 | Impact | Service Stop |
| T1490 | Impact | Inhibit System Recovery |
| T1547.001 | Persistence, Privilege Escalation | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| T1564.003 | Defense Evasion | Hide Artifacts: Hidden Window |
| T1106 | Execution | Native API |
| T1049 | Discovery | System Network Connections Discovery |
