[BreachExchange] 400 Vet Locations Nipped by Ryuk Ransomware

Destry Winant destry at riskbasedsecurity.com
Thu Nov 21 10:04:14 EST 2019


https://threatpost.com/400-vet-locations-ryuk-ransomware/150443/

The infection apparently made its way in through third-party systems.

National Veterinary Associates (NVA) has been hit with the Ryuk
ransomware, in an attack that affects 400 clinics across the country.

The California company said that it could take a week for its
facilities to be fully back up and running normally. Patient records,
payment systems and practice management software were all locked up in
the attack.

NVA said it discovered the ransomware outbreak on Oct. 27 and hired
two outside security firms to help it recover. Affected clinics now
have regained access to patient records.

NVA CMO Laura Koester confirmed the attack to independent researcher
Brian Krebs, but declined to say whether the ransom was paid, or how
it arrived on NVA systems. She noted that each NVA location runs its
own IT operations; it’s unclear if there’s a wide-area network (WAN)
or other common connection linking the affected locations (NVA has
about 700 clinics in total). However, NVA head of technology Greg
Hartmann said that it was a supply-chain attack.

“The virus eventually found three smaller points of entry through
accounts that were unaffiliated with NVA, but unfortunately opened
within our network,” Hartmann wrote in an internal memo obtained by
Krebs. “Upon discovery of the incident, our technology team
immediately implemented procedures to prevent the malware from
spreading; however, many local systems were affected. Still, we have
many hospitals whose systems are not recovered. The technology team
continues to set up interim workstations at each affected hospital
while they prepare to rebuild servers.”

NVA did not immediately respond to a request for comment, but Colin
Bastable, CEO of security awareness training company Lucy Security,
said that social engineering was the likely attack vector.

“Ninety-seven percent of successful attacks involve some form of
social engineering, and over 90 percent start with a phishing email,”
Bastable said via email. “When I demonstrate spoofing emails, around
10 percent of them get straight through to the prospect, after they
always assure me that they have perfect defenses. This is especially
so in government, which explains why ransomware is so effective in
crippling state and local government. Ransomware attacks can wipe out
entire systems in minutes – have a recovery plan and know what you
will do when you are hit. Planning in advance is better than making it
up when you have no phones, no email and no data.”

Ryuk is a ransomware strain distributed by the Russian-speaking Wizard
Spider financial crime syndicate, first spotted in August 2018. Since
then, it has been involved in several high-profile attacks, such as a
coordinated, targeted ransomware cyberattack on 23 Texas local and
state entities in August.

The Ryuk ransomware has recently added two features to enhance its
effectiveness as well: The ability to target systems that are in
‘standby’ or sleep mode that it otherwise would have no ability to
encrypt; and the use of Address Resolution Protocol (ARP) pinging to
find drives on a company’s LAN. Both are employed after the initial
network compromise of a victim organization.

“The destructive power of ransomware, especially Ryuk, continues to
show how vulnerable organizations are regardless of their size,” Erich
Kron, security awareness advocate at KnowBe4, said via email. “It is
also a lesson in how long the impact of ransomware can be felt.
According to Kaspersky, 34 percent of businesses hit with ransomware
took a week or more to regain access to their data. That can be
crippling to any size organization that’s not prepared for it.”


More information about the BreachExchange mailing list