Spacelabs Healthcare has been made aware of a malware (sometimes called “ransomware”) campaign attributed to the Ryuk group impacting healthcare and public sector organizations. The Ryuk group and their malware campaigns have been known in the industry for several years and have a history of success in exploiting and impacting businesses and IT operations. Spacelabs has conducted an assessment to identify the potential impact to our products in this attack, including if a product can be maliciously encrypted or used as a vector to spread the malware.

Current threat analyses of the Ryuk group’s latest campaign are finding that the malware primarily targets devices running Windows operating systems. Initial reported compromises have been attributed to successful email phishing campaigns, followed by exploitation of several common Windows services such as Remote Desktop Protocol (RDP) and network file shares to propagate the malware.  A joint cybersecurity advisory has been published by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) regarding the current Ryuk malware campaign:

https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf

Spacelabs recommends the following defenses and mitigations be applied to an enterprise environment.

• Train employees on social engineering and phishing techniques. Have a policy or process in place to report suspicious emails to the appropriate event and incident responders.
• Apply applicable patches, hotfixes, and updates to servers and products when available and after they have been validated.
• Implement defense-in-depth within the enterprise environment consisting of tools such as Intrusion Detection/Prevention Systems (IDS/IPS), firewalls, and network access control (NAC).
• Implement and maintain an anti-malware solution (also called “anti-virus”) and an endpoint detection and response (EDR) solution.
• Disable remote access services and protocols such as Remote Desktop Protocol (RDP) unless needed. Monitor and restrict remote access usage on a least privilege basis.
• Have backup and restore processes and procedures in place for disaster recovery and incident response.
• Monitor and maintain account provisioning and access control based on the principle of least privilege.
• Block suspicious external IP addresses at the enterprise firewalls. Monitor traffic internally for unusual behavior.

In response to the latest Ryuk campaign, Spacelabs has conducted an assessment to identify devices potentially at risk for this ransomware campaign. Please note information is subject to change as the situation evolves.