FBI warning: Trickbot and ransomware attackers plan big hit on US hospitals

The FBI, CISA, HHS warning comes two weeks after Microsoft's partial takedown of the Trickbot botnet.
Written by Liam Tung, Contributing Writer

US healthcare providers, already under pressure from the COVID-19 pandemic, have been put on high alert over Trickbot malware and ransomware targeting the sector.   

The warning over an "imminent cybercrime threat to US hospitals and healthcare providers" comes from the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services. 

The US healthcare sector is under threat from infection by Trickbot, one of the largest botnets in the world, against which Microsoft took US legal action earlier this month in an effort to gain control of its servers. Within a day of the seizure, Trickbot command-and-control servers and domains were replaced with new infrastructure

SEE: Security Awareness and Training policy (TechRepublic Premium)

CISA flagged Anchor_DNS, a backdoor created by the eastern European hackers behind the multifunctional Trickbot malware. 

Trickbot emerged in 2016 as a banking trojan but evolved into a multi-purpose malware downloader that infected systems that were sold on to other criminal groups as a service. It was originally known as banking malware but has since been used to distribute malware that steals credentials, email, point-of-sale data, and spread file-encrypting ransomware such as Ryuk.  

Trickbot infected more than a million computers, according to Microsoft and its partners at Symantec, ESET, FS-ISAC, and Lumen.  

The US agencies warned the healthcare sector about Trickbot on Wednesday following a tip-off received by security firm Hold Security, according to krebsonsecurity.com

The company's CEO Alex Holden said he saw the Ryuk ransomware group – a ruthless gang known for leaking the data of targets before encrypting their files – discussing plans to deploy the ransomware at over 400 US healthcare facilities.  

"As part of the new Anchor toolset, Trickbot developers created Anchor_DNS, a tool for sending and receiving data from victim machines using Domain Name System (DNS) tunneling," CISA said in the alert

DNS tunneling exploits the system that maps human-readable website names like google.com to the numeric internet protocol (IP) system that guides browsers to websites. 

The Anchor_DNS backdoor forces infected PCs to communicate with command-and-control servers over DNS to bypass network defense products and hide malicious communications with legitimate DNS traffic. 

"Anchor_DNS uses a single-byte XOR cipher to encrypt its communications, which have been observed using key 0xB9. Once decrypted, the string Anchor_DNS can be found in the DNS request traffic," CISA notes. 

Security firm Mandiant today released a set of indicators of compromise that suggest an infection by Ryuk ransomware. It refers to the group as UNC1878. 

Reuters reports that the FBI is investigating recent attacks against healthcare providers in Oregon, California and New York, with one facility reduced to paper processes for patient medical results. 

The US government has warned hospitals to back up systems, to disconnect systems from the internet where possible, and avoid using personal email accounts, according to Reuters. 

CISA has now listed several indicators of compromise that security teams should look for.  

It notes that the Trickbot malware for Windows copies itself as an executable file with a 12-character (includes .exe), randomly generated filename – for example, mfjdieks.exe – and places this file in the directories, C:\Windows\, C:\Windows\SysWOW64\, and C:\Users\[Username]\AppData\Roaming\. 

SEE: Adware found in 21 Android apps with more than 7 million downloads

The UK's National Cyber Security Center in June warned British businesses about Ryuk ransomware attacks

Ryuk often use commercial off-the-shelf products – such as Cobalt Strike and PowerShell Empire – to steal credentials, according to CISA. 

Earlier this month, the Australian Signals Directorate's Australian Cyber Security Centre (ACSC) warned Australian organizations about Emotet malware, which is used in conjunction with Trickbot.  

"Upon infection of a machine, Emotet is known to spread within a network by brute-forcing user credentials and writing to shared drives. Emotet often downloads secondary malware onto infected machines to achieve this, most frequently Trickbot," the ACSC wrote in its alert.

Editorial standards