Mandiant Threat Intelligence Follows the Trail From Initial Emails to Installing Ryuk
Sky Lakes Medical Center in Klamath Falls, Oregon, is one of the hospitals recently hit with ransomware.
A new report describes the attack methods of an Eastern European gang known as UNC1878 or Wizard Spider that’s been waging ransomware attacks against U.S. hospitals in recent days (see: US Hospitals Warned of Fresh Wave of Ransomware Attacks).
The report from FireEye’s Mandiant Threat Intelligence team breaks down how UNC1878 attacks a victim.
“UNC1878 has been aggressively targeting the healthcare since their return in September 2020. We believe that their success in negotiating ransoms from these organizations has resulted in them ramping up targeting of hospitals over the last week,” says Kimberly Goody, manager, cybercrime analysis at FireEye.
“The operators conducting these campaigns have actively targeted hospitals, retirement communities and medical centers, even in the midst of a global health crisis, demonstrating a clear disregard for human life,” the report says.
UNC1878 has hit hospitals across the country with Ryuk ransomware, with NBC News reporting at least 20 facilities have been struck so far. One of the latest is the University of Vermont Health Systems.
The attacks prompted the FBI and the U.S. Cybersecurity and Infrastructure Security Agency to issue warnings.
“The Russian-based Wizard Spider/UNC1878 are the bad actors responsible for Trickbot. These bad actors have been building, integrating and enhancing their capabilities for years, constantly expanding upon the scope and impact potential of their attacks,” says Curtis Simpson, CISO of the security firm Armis
Trickbot activity was dealt a blow a few weeks ago when Microsoft and U.S. Cyber Command helped take down a majority of its command-and-control servers. The botnet has since recovered but has not regained its previous level of activity (see: Microsoft Continues Trickbot Crackdown).
UNC1878 uses the Bazar family of malware, also known as Team 9, Kegtap/Beerbot, Singlemalt/Stilbot and Winekey/Corkbot, in conjunction with Trickbot to deliver Ryuk ransomware.
Breaking Down an Attack
Mandiant’s analysis of UNC1878’s methods is based on what it’s observed in the recent hospital attacks and how the group conducted earlier attacks on healthcare facilities.
“These threat actors have previously targeted the healthcare sector. We believe the reason for the increased attacks right now is because they have had success with this industry responding quickly and paying,” Goody tells Information Security Media Group.
Mandiant Threat Intelligence says UNC1878’s attacks typically begin with a phishing campaign, and its tactics, techniques and procedures to gain entry are generally the same regardless of the industry being targeted.
The phishing emails contain a link to an actor-controlled Google Docs document, typically a PDF file which, in turn, has a link to a URL hosting a malware payload. The emails masquerade as generic corporate communications, such as a follow-up concerning documents, phone calls terminations, bonuses, contracts, working schedules, surveys or queries about business hours.
As a further lure, some emails include the recipient’s name or employer name in the subject line or email body.
UNC1878 has recently changed some of its tactics. For example, it no longer uses Sendgrid to deliver the phishing emails and to supply the URLs that lead to the malicious Google documents, Mandiant reports.
“Recent campaigns have been delivered via attacker-controlled or compromised email infrastructure and have commonly contained in-line links to attacker-created Google documents, although they have also used links associated with the Constant Contact service,” according to the Mandiant report.
Hosting the malicious documents on a legitimate service is also a new twist. Earlier campaigns were hosted on a compromised infrastructure, Mandiant researchers say.
Establishing a Foothold
Once the group delivers a loader via a malicious document, it downloads the Powertrick backdoor and/or Cobalt Strike Beacon payloads to establish a presence and to communicate with the command-and-control server, the report says.
Mandiant notes that the group uses Powertrick infrequently, perhaps for establishing a foothold and performing initial network and host reconnaissance. But the group more frequently uses Beacon throughout various stages of the attack lifecycle.
The group maintains persistence by creating a scheduled task, adding itself to the startup folder as a shortcut, creating a scheduled Microsoft BITS job using /setnotifycmdline and in some cases using stolen login credentials, the report says.
The malware next attempts to escalate its privileges on the infected system using valid credentials belonging to privileged accounts that are stored in memory or on the disk. These credentials are obtained using MimiKatz via exported copies of the ntds.dit Active Directory database and system and security registry hives from a Domain Controller, Mandiant says.
The next stage is to move laterally through a system, which is accomplished using valid credentials in combination with Cobalt Strike Beacon, RDP and SMB or using the same backdoors used to establish a foothold in victim networks.
The Damage Done
“Mandiant is directly aware of incidents involving Kegtap [BazarLoader] that included the post-compromise deployment of Ryuk ransomware. We have also observed instances where Anchor infections, another backdoor associated with the same actors, preceded Conti or Maze deployment,” the report says.
The attackers were also observed exfiltrating data files using Cobalt Strike Beacon and via SFTP to an attacker-controlled server, the report says.
The attackers attempt to hide their activities when completed by deleting their tools from the host.
Armis’ Simpson says even though the latest attacks focus on hospitals’ networks, medical devices and other endpoints running Linux and Windows must also be protected.
“However, subsequent efforts must include the ability to continuously assess and monitor for risks and signs of attacks moving laterally into vulnerable medical devices,” he says. “These attacks are not only impacting servers, but actual medical devices as well. In fact, these attacks against healthcare facilities usually disrupt more medical devices than traditional computers/servers.”