An uptick in the Russian language criminal underground in the run up to the 2020 US presidential election, suggested a massive coordinated campaign to disrupt the United States by destructive ransomware attacks against US hospitals and other healthcare delivery organizations. Whether this was party motivated by the Kremlin to weaken democratic resolve and confidence in the US election systems is so far unknown, as is any intended manipulation of results to favor one presidential candidate over another. What is known however, is that the United States government in coordination with Microsoft and other technology companies, managed to take down the majority of an extensive global Trickbot network a few weeks before this threat was first discovered, so this may have been an attempted retribution for cyber-criminals. Trickbot is used to infect computers with Ryuk and other malicious ransomware software.
The threat was considered so great, and so many prime US hospitals mentioned by name in criminal underground conversations, that the CISA, FBI and HHS held several joint briefings for hospital executives and those who support them. These briefings outlined the nature of the threat, and advised HDOs to be on the look out for anomalous activity that could be an indicator of compromise (IOC), while patching known attack vectors and other security vulnerabilities with all due haste.
The American College of Clinical Engineering in support of its members, requested that Cylera and its threat intelligence entity CyleraLabs based in Madrid, provide a deeper drive on the Ryuk ransomware family, and brief the ACCE membership on IOCs while providing advice to member hospitals how to prevent and recover from any such attack. The following briefing and panel discussion with MDs, security leaders and clinical engineers is the result of that request.
