Threat Analysis Unit

TAU Threat Advisory: Imminent Ransomware threat to U.S. Healthcare and Public Health Sector

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert this week with regards to an imminent cybercrime threat to US hospitals and healthcare providers. The alert was coauthored by CISA, the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS), regarded the use of Ryuk and Trickbot malware to perform ransomware behavior at a massive scale. The report was later updated to include the use of Conti ransomware and BazarLoader malware.

The group behind this attack is a financially motivated adversary, labeled as UNC1878 by FireEye Mandiant, that leverages the RYUK Ransomware to encrypt target environments and extort their victims. The group primarily leverages KEGTAP for initial access, ultimately resulting in Cobalt Strike beacon payload deployment and RYUK Ransomware encryption. The most significant component of this group’s operations is the speed at which they transition from initial access to Ransomware deployment, with some environments following the full lifecycle of the attack in just over two days.

TAU Threat Advisory: Imminent Ransomware threat to U.S. Healthcare and Public Health Sector


Threat Overview


Trickbot was first discovered in the wild in 2016. Although Trickbot started out as a banking trojan, it has more recently evolved to become a multi-purpose downloader, used to download additional malware in order to steal sensitive information such as credentials and emails, as well as running ransomware such as Ryuk.


BazarLoader/BazarBackdoor (also referred to as KEGTAP) is thought to be a derivative of Trickbot. Similar to Trickbot, BazarLoader is typically distributed via phishing campaigns containing malicious links or attachments that contain the malware.


The Ryuk family of malware has been tracked for multiple years as targeted toward organizations for ransomware. Over time Ryuk has gone through periods of inactivity during which it is suspected that its operators perform reconnaissance on potential victims and improve their tooling.


Conti ransomware discovered by VMware Carbon Black Threat Analysis Unit (TAU) in June 2020, is thought to be related to Ryuk ransomware due to similarities in the code. Conti introduced a much faster encryption algorithm using up to 32 threads, a novel ability of targeting only network SMB shares for provided IP addresses, as well as a new technique that makes use of the Windows Restart Manager.

ZeroLogon Vulnerability

CVE-2020-1472, otherwise known as ZeroLogon, is a critical vulnerability affecting Microsoft Windows operating systems. The Department of Homeland Security (DHS) recently issued an emergency directive due to the criticality of this vulnerability. Although Microsoft released a patch on August 11, 2020, Ryuk threat actors have reportedly exploited unpatched servers in order to escalate privileges by resetting the password of the primary domain controller.


Ransomware infections are often only one piece of the attack kill chain. A multi-stage approach is often used as part of sophisticated attacks. Phishing emails are commonly used to deliver the initial payload, backdoor or loader, such as in the case of Trickbot and BazarLoader. Additional tools such as Cobalt Strike, Metasploit or PowerShell Empire may be used to further maintain access, move laterally, or scrape credentials. Ransomware such as RYUK and Conti are then distributed across the network for maximum impact.

Following the CISA alert, several U.S. hospitals have already been targeted with ransomware attacks this week. We have advised VMware Carbon Black customers to ensure they have enabled the Ransomware prevention controls available within VMware Carbon Black Enterprise Standard.

For a detailed breakdown of the MITRE ATT&CK TIDs, please see the table below. To learn more about the VMware Carbon Black TAU, please visit: Threat Analysis Unit.


The table below includes all behavioral MITRE TID’s for Trickbot, RYUK and Conti.

TID Tactic Description
T1087.001 Discovery Account Discovery: Local Account
T1087.003 Discovery Account Discovery: Email Account
T1071.001 Command and Control Application Layer Protocols: Web Protocols
T1059.003 Execution Command and Scripting Interpreter: Windows Command Shell
T1543.003 Persistence, Privilege Escalation Create or Modify System Process: Windows Service
T1555.003 Credential Access Credentials from Password Stores: Credentials from Web Browsers
T1132.001 Command and Control Data Encoding: Standard Encoding
T1005 Collection Data from Local System
T1140 Defense Evasion Deobfuscate/Decode Files or Information
T1482 Discovery Domain Trust Discovery
T1573.001 Command and Control Encrypted Channel: Symmetric Cryptography
T1041 Exfiltration Exfiltration Over C2 Channel
T1008 Command and Control Fallback Channels
T1083 Discovery File and Directory Discovery
T1562.001 Defense Evasion Impair Defenses: Disable or Modify Tools
T1105 Command and Control Ingress Tool Transfer
T1056.004 Collection, Credential Access Input Capture: Credential API Hooking
T1185 Collection Man in the Browser
T1036 Defense Evasion Masquerading
T1112 Defense Evasion Modify Registry
T1106 Execution Native API
T1571 Command and Control Non-Standard Port
T1027.002 Defense Evasion Obfuscated Files or Information: Software Packing
T1069 Discovery Permission Groups Discovery
T1566.001 Initial Access Phishing: Spearphishing Attachment
T1566.002 Initial Access Phishing: Spearphishing Link
T1055.012 Defense Evasion, Privilege Escalation Process Injection: Process Hollowing
T1018 Discovery Remote System Discovery
T1053.005 Execution, Persistence, Privilege Escalation Scheduled Task/Job: Scheduled Task
T1553.002 Defense Evasion Subvert Trust Controls: Code Signing
T1082 Discovery System Information Discovery
T1016 Discovery System Network Configuration Discovery
T1033 Discovery System Owner/User Discovery
T1007 Discovery System Service Discovery
T1552.001 Credential Access Unsecured Credentials: Credentials in Files
T1552.002 Credential Access Unsecured Credentials: Credentials in Registry
T1204.002 Execution User Execution: Malicious File
T1036.005 Defense Evasion Masquerading: Match Legitimate Name or Location
T1055 Defense Evasion, Privilege Escalation Process Injection
T1057 Discovery Process Discovery
T1134 Defense Evasion, Privilege Escalation Access Token Manipulation
T1486 Impact Data Encrypted for Impact
T1489 Impact Service Stop
T1490 Impact Inhibit System Recovery
T1547.001 Persistence, Privilege Escalation Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1564.003 Defense Evasion Hide Artifacts: Hidden Window
T1106 Execution Native API
T1049 Discovery System Network Connections Discovery