The National Veterinary Association (NVA) in California reviles that more than half of its animal care facilities got effected by the Ryuk ransomware attack last month. The facilities are still recovering from limited access to patients’ records, payment systems, and practice management software.
The attack was discovered on the morning of Sunday, Oct. 27 and identified as Ryuk- ransomware that was first detected in August 2018. One of its most famous appearances was in 2018 Christmas when The Wall Street Journal and The New York Times were extensively damaged in their printing facilities.
NVA refused to answer questions about the ransom claiming they refer this attack as a malware rather ransomware, according to Laura Koester, NVA's chief marketing officer. She also claimed that there was no real damage to the facilities’ ability to provide services to the patient. But a source closed to the investigation reported to independent researcher Brian Kerbs on a slightly different situation. The source reported that Microsoft Active Directory and Exchange servers were infected, causing many of the infected facilities to lose their access to their Patient Information Management systems, prohibiting them from providing care.
Ryuk distribution methodology is different than most ransomware attacks. It is usually used for tailored attacks on small-scale operations so that only crucial assets and resources are infected, and distribution carries out manually by the attackers. It requires Admin privileges to run in the system by writing itself to the Run registry key. The first infection is by spam mail, tricking the user to open a malicious file. The executable content in the file is installing the bot malware that then spreads laterally inside the victim's environment by leveraging misconfigured Active Directory.
Misconfigured AD is a cyber criminal's preferred course of action. Mistakes in AD configurations will allow unwanted relationships between users, groups or administrators, allowing the attacker to identify the most critical assets of the organization and laterally spreading to them. Encrypting the organization's most valuable assets is painful to the organization, and in Ryuk's case, any shadow copies of the asset on the endpoint are deleted by disabling the Windows System Restore option. This fact makes it impossible to recover the attack without external backups, making Ryuk even more painful for the victim.
The best way to protect your organization is by ensuring proper network segmentation and monitoring changes in servers' configuration. According to Koester, every NVA hospital runs its IT operations in its own way, so there is no control on the IT security habits in the organization.
Network segmentation is a basic tactic for protecting your IT network against malware. To ensure you don't lose your drives and resources when a single endpoint gets infected, segment the access to certain servers and files. Delegate the minimal privileges possible to the admins, allowing them to only do what they need for their functionality.
In a branched organization, most often local Admins have privileges in servers' configuration settings, making it hard for management to keep track of changes being made. By monitoring your servers' configuration changes you can track suspicious changes and recognize hostile activities in your IT infrastructure.
CHS by CalCom will help you configuring your AD the safest way possible and will alert you on any change in configuration. With its unique ability to 'learn', CHS will automatically configure your servers without causing any damage to production, abolishing the need to perform any lab testing.
