Recently, The FBI, the Department of Health and Human Services and the Cybersecurity and Infrastructure Security Agency (CISA) released an alert that warned that the healthcare industry was being targeted by hackers.

UNC1878 is the designation given the Russian cybercriminal actor responsible for large-scale ransomware attacks targeting healthcare facilities across the US.

These attacks have a lot of moving pieces from initial compromise to actual ransomware encryption. These initial phases are where we are given the opportunity to catch the infection and isolate the issue before the attacker ever gets the chance of encryption.

Ransomware, overall, is difficult to detect once it gets to the deployment phase and even harder to isolate and stop due to the often rapid deployment across networks. Fortunately, in order for the ransomware to be successful for the attackers, there are many noticeable tactics they use to manipulate the environment into the most prime target before deployment.

Initial compromise can come from many different avenues, but phishing remains the most common and most effective way for attackers to gain access to a network. During recent Ryuk infections, spear phishing attacks were observed as the way they gained access into their targeted systems. This can be both detected and prevented through properly configured mail solutions, best practices, and employee awareness training.

Once initial access is gained, Ryuk ransomware has been observed using many different loaders to deploy: BazarLoader, Emotet, Trickbot and the latest, Buer. Buer first checks to see if there is a debugger enabled, then checks language and localization to figure out where it is geographically. To deploy, Buer executes a powershell command to bypass execution policies executed by Buer to not trigger any warnings, and it runs more powershell commands to ensure it gets added to Windows Defender’s exclusion list. Then the loader phones home and gives us a chance to catch initial C2 traffic. Buer is nice enough to drop files into C:\ProgramData\directory-, where the directory name is variable with each deployment.

The infection is then going to want to create persistence, which is usually established by a task schedule on the infected host. This is hard to detect given that scheduled tasks are normal procedure and there’s not generally a way to differentiate malicious scheduled tasks from ordinary windows tasks.

Next, discovery, lateral movement, and privilege escalation are going to be the focus as the malware gets in a good position to deploy the ransomware and cripple the target. This traversal and enumeration of hosts within a network is noisy and one of the best phases we have for detection. Tools like Cobalt Strike and Bloodhound (Sharphound) are often used for this process and are normally never found on a network outside of Pentesting devices. Behavior based anomalies such as share enumeration, AD enumeration, and system enumeration are all indicators of network discovery taking place. Cobalt Strike BEACON has been observed running multiple exploitation tools via PowerShell to run network reconnaissance in associated network intrusions, such as AllChecks, FileFinder, EternalBlue, Kerberoast, mimikittenz, Sharefinder, UserHunter, etc.

From the attacker’s perspective, all this reconnaissance has hopefully led them to gain credentials and privilege escalation at this point and move through the network laterally. Every system is going to be unique, but this is where internal controls, regular active directory GPO permission audits, and hardened credentials are going to slow the attackers down, thus providing more opportunities for detection.

With the network enumerated and access gained to the targeted system, the attackers are going to try to disable anything on the systems that might disrupt their ransomware deployment. Visibility into critical processes getting disabled is vital in detecting during the evasion phase. For UNC1878, GMER has been observed as the most commonly utilized tool when attempting to disable critical endpoint-detection and respond applications. GMER was originally a rootkit detector tool that gives the attacker visibility into the drivers, libraries, registry entries, and file functions.

Finally, the attackers attempt to deploy the ransomware across the network. The ransomware itself is going to be best detected and remediated by endpoint solutions because those are the systems that will actually have visibility into this phase of the attack. Process injection, process hollowing, and process doppelganging are all common methods used by malware authors to evade detections and execute the ransomware code in memory. While investigating these methods, consistent Windows API calls are used such as VirtualAllocEx, VirtualAllocExNuma and CreateRemoteThread in order to format the relevant memory and achieve code execution. Detecting these calls can be one of the final indications we have of ransomware before the machine is encrypted. This is also a central point of deployment across a wide variety of malware droppers commonly used during Ryuk infection as this is a preferred and very common technique among sophisticated actors. After infection, the actual .ryuk files may be visible on endpoint solutions and then it’s a race against time to isolate the machine and figure out how much more of the network is compromised.

At this point, IOCs like domains and IPs are easy for attackers to change, so while they are still detection and investigation worthy, behavior-based detections don’t have the same expiration date. Some of the tactics discussed above, especially during the internal discovery phase, are clear indicators something is amiss in the network. It’s important to have multiple detections across multiple phases of the attack because of constant visibility challenges. Email monitoring is important for the initial infection phase, network monitoring for the discovery and lateral movement phase, and endpoint monitoring for the actual deployment of ransomware.

In conclusion, UNC1878 is a highly sophisticated method of deploying ransomware, but there are many common infection tactics used that are highly documented and can be mitigated by proper security measures and defense-in-depth.

If your organization is looking for guidance on UNC1878 or any other foreign threat protection and detection, Datashield is offering a free consultation with one of our security engineers.