Skip to main content
Jason Smith

By: Jason Smith on December 14th, 2020

Print/Save as PDF

How Ryuk Malware is Impacting the Healthcare Industry

Healthcare | Cybersecurity

It seems people aren't the only ones facing a certain viral nemesis. Cyber-attacks are on the rise from opportunistic hackers, and Ryuk ransomware has risen to the top of the threat list.
Ryuk, a troublesome metamorphic malware, has become a prominent threat to hospitals and healthcare systems within the U.S. according to the Joint Cybersecurity Advisory released at the end of October (Coauthored by FBI, CISA, and HHS).   


Here’s what you need to know. 

How Is Ryuk Ransomware Infiltrating US Hospitals and Healthcare Systems?  

All it takes is one click to compromise your system. According to the Joint Cybersecurity Advisory, the threat actors have been deploying Trickbot and BazarLoader via malicious phishing campaigns. They contain links to websites hosting the malware or attachments infected with Ryuk. Newer iterations of Ryuk (since mid-February 2020) are no longer dependent on TrickbotEmotet, or BazarLoader as a Trojan dropper, in favor of now using encrypted PowerShell as a delivery tool. The new iteration also uses some known penetration tools (SharpHound and Armitage components) and has gained truly metamorphic capabilities, where child iterations spawned during pivot operations are nearly completely unique.  

In short, it’s social engineering via email campaigns. Ryuk hides a malicious script in an attachment and before you know it, the entire office is down.   

Basic security awareness best practices can come into play here. That is why I stress enrolling your team in some Security Awareness Training. Threat actors/hackers are masterful at social engineering and manipulation, using tactics that evoke fear, panic, or that draw on sympathy. The worst part is they just need to dupe one person to take down your entire healthcare system. It may surprise you just how often we see this happen!  

What Makes Ryuk Ransomware So Bad?  

Ryuk can shift and change at an alarming rate, making it a truly malicious metamorphic malware because it is difficult to predict and therefore prevent.   

Let me give you an analogy:  

For the sake of this example, your name is Phineas. Imagine I have contracted Ryuk. I have my personal brand of the RYUK virus, the “Jason Virus,” if you will. I sneeze on you and get you sick. However, instead of contracting the “Jason Virus,” you now have the “Phineas Virus”, your own unique iteration of Ryuk that antivirus software has never seen before ... do you understand why antivirus has been so ineffectual?   

Antivirus works because it essentially blacklists certain threatening signatures. Ryuk doesnhave a signature and never attacks in the same way twice.   

The Joint Cybersecurity Advisory explains that once the malware installs itself on your system, threat actors use anchor_dns to send and receive data from your victimized machines, a practice known as Domain Name System (DNS) tunneling. This helps the cyber criminals to avoid detection and evade network defense protocols because your infected computers think its just another piece of legitimate DNS traffic 

The cybercriminals can then funnel your data, deploy self-deletion techniques, and control your data, holding your organization hostage to their demands 

How Do I Prevent Ryuk from Ransoming My Data?  

Standard antiviruses (as explained above) are ineffectual for this threat, so prevention depends on the end user, or your administrative staff, clinicians, etc. Another good practice would be to invest in an EDR or an advanced anti malware. We are a Cisco Gold Partner, so ask us about Cisco AMP (Advanced Malware Protection), otherwise we can help you find and deploy really any Endpoint Detection Response (EDR) that would work for your industry.  


Security Awareness Training (Prescriptive/Proactive)  

You and your team are the first line of defense against cyber threats. Hackers are constantly developing their methods to get past your defenses. Your team needs to know what an attack looks like first, how to report the attacks, and how to rid themselves of threats.  

Learn More about Security Awareness Training

Endpoint Detection Response (EDR) Advanced Anti Malware (Prescriptive/Proactive)  

While this isn’t a full-proof prevention method, it can help. This advanced anti-malware solution measures more than signatures (remember, Ryuk does not leave one), it also measures behavioral characteristics to help you pinpoint abnormal activity. It won’t wave a red flag and tell you it’s Ryuk, but it may alert you to an issue before it’s done too much damage.   


Regular Secure and Verified Backups (Prescriptive)  

Stay involved, perform regular secure and verified backups. This will help with disaster recovery too, if something should ever go awry.   

What happens if Ryuk Ransomware Infects my Healthcare System? What are the next steps?  


Disaster Recovery   

If this happens to you, do not immediately lose hope! If Ryuk holds your data ransom, it may require a system reset. Disaster Recovery is your best bet in salvaging your data after the reset. Therefore, regular, verified, and secure backups are a crucial best practice.   


How do I report it?  

The FBI has a great report line. For your information, I’ve linked the FBI reporting page below.   

Report to the FBI

Get Security Awareness Training for Your Team  

The best offense to these security threats is defense.  Follow the link below and submit your information. My security team will contact you shortly afterwards to discuss security awareness training opportunities for your business 

Sign Up Now for Security Awareness Training


About Jason Smith

Jason Smith is the Security Consultant for Internetwork Engineering (IE) with over 15 years experience in IT & IT Security, including finance, retail, and aerospace and defense. Connect with Jason on LinkedIn.