The U.S. government is warning hospitals and healthcare providers to take precautions to protect their networks from imminent ransomware threats. The joint cybersecurity advisory focuses on a recent increase of the utilization of Ryuk ransomware. 

Some of the advisory's security recommendations include:

• Ensure all users are trained to identify suspicious email.  

• Alert all users to be extra vigilant when opening any attachments or clicking any link that is included in email messages.  

• Do not open any attachment received in email that is not expected. 

• Do not click a link in any email without being able to positively identify the legitimate web URL/ host.    

• Ensure that Antivirus and Antimalware are installed and updated on all eligible devices.  

• Deploy Security Incident and Event Management (SIEM) system monitoring in strategic network segments to help identify malicious traffic behavior being that potential transmitted.  

• Use Multi-factor authentication where possible.  

• Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts. 

• Ensure all desktops and servers are patched with the latest updates from respective device manufacturers. Threat actors take advantage of vulnerabilities when attempting to gain domain level access. 

• Ryuk takes advantage of domain admin credentials to remotely access and encrypt disks through the administrative shares on Windows PC’s. This means that no malware code ever runs on the system that gets encrypted. Customers should consider blocking access to the ports that enable this file sharing if they are worried about this threat. 

• It has been observed that recent updates made to Ryuk in the wild show that it attempts to encrypt files using Windows administrative shares.   

• Due to this, users should consider either completely disabling administrative shares completely or block access via their firewall solutions - depending on the various needs of the organization. 

• Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs. 

• Ensure incident response plan is up to date and in place. 

• Regularly backup all data, air gap and password protect backup copies *offline* when possible. 

• Maintain multiple copies of sensitive or proprietary data and servers in separate, secure locations when possible. 

• Verify that appropriate security settings and controls are in place for Microsoft Office 365, M365. 

Next steps

If you have concerns about your security architecture, business continuity or data backup options, contact C Spire Business for a consultation.