Skip to main content

Joint Federal Agency Advisory Warns of Imminent Ransomware Threats to the Healthcare and Public Health Sector

Kelly Ruane Melchiondo

Privacy Portal Blog Card ImageAs if the recent uptick in national COVID-19 cases and hospitalizations were not enough to tax an already beleaguered health system, on October 28, 2020, three federal agencies issued a cybersecurity Joint Advisory warning of a credible threat of “increased and imminent cybercrime” targeting U.S. hospitals and public sector healthcare providers. In the Joint Advisory, the Cybersecurity and Infrastructure Agency (CISA), FBI and the Department of Health and Human Services (HHS) warned that malicious cyber actors are targeting the public health sector with Trickbot malware that can lead to ransomware attacks, data theft, and disruption of healthcare service.

The Joint Advisory focused on Trickbot malware known as “Anchor,” which cyber actors use to target high-profile victims such as large corporations. Anchor works as a backdoor to allow victims’ machines to communicate with servers over Domain Name Systems (DNS) to evade typical network defenses. This enables malicious communications to blend in with legitimate DNS traffic. Anchor is particularly aggressive malware that schedules tasks every 15 minutes to persistently attack victims’ machines.

An Anchor Trickbot infection implants Ryuk malware into systems for financial gain. Ryuk ransomware targets victims that malicious actors perceive to have the ability to pay exorbitant sums of money. Ryuk ransomware often goes undetected until days or months after the initial infection. This allows the malicious actor sufficient time to surveil the infected network to identify critical network systems and users, or to shut down or uninstall critical security applications that would otherwise prevent ransomware from executing.

In the Joint Advisory, CISA, FBI and HHS encourage healthcare organizations to maintain or reinforce their business continuity plans, and to ensure that they are following best practices for cybersecurity, including, for example:

  • Patching operating systems, software and firmware as soon as manufacturers release updates;
  • Regularly changing passwords to network systems and accounts;
  • Using multi-factor authentication where possible; and
  • Identifying critical assets and creating backup systems, and housing those backup systems offline from the network.

Organizations should review the Joint Advisory’s list of indicators of Trickbot infection, as these are key indicators of an imminent ransomware attack. For example, organizations should, at a minimum, search their C:\\Windows directories for suspicious 12-character .exe files, or “anchorDiag.txt” files.

All organizations, whether in the healthcare public sector or not, should note and implement the recommendations in the Joint Advisory. The best defense to a ransomware attack is frequent, if not daily, backups of critical files and network systems to neutralize the threat of inaccessible data. Paying a ransomware demand does not ensure recovery of stolen or compromised data, and may run afoul of federal regulations prohibiting payments to foreign actors. Now is the time to immediately back up data, password protect backup copies offline, and maintain backup servers in a separate physical location.

Speaking Engagement March 4, 2024
Ryan J. Coyle speaks on the panel Stiff Winds, New Currents and Rough Seas: Navigating the Private Client World in Turbulent Times at the 29th Annual International Private Client Tax Conference. The panel discusses recent changes and salient topics in tax law in different jurisdictions, the use of a...
Publication November 30, 2023
Over the past decade, companies have increasingly turned to the collection of consumer personal data to help them better understand and adapt to the habits, preferences, and needs of consumers, engage in targeted marketing, and gain insight into the broader marketplace—that is, to better compe...
Speaking Engagement September 29, 2023
Melissa Pallett-Vasquez speaks on the panel Press Play to Continue: Navigating Legal Ethics in a Digital World at the ACC South Florida 13th Annual CLE Conference. The session focuses on the unique ethical issues brought on by technological changes in the legal field, particularly the increasing pre...