Latest HIPAA News

ASPR Provides Update on Ransomware Activity Targeting the Healthcare Sector

Posted by HIPAA Journal

The HHS’ Office of the Assistant Secretary for Preparedness and Response (ASPR) has issued an update on ransomware activity targeting the healthcare and public health sectors, sating, “At this time, we consider the threat to be credible, ongoing, and persistent.”

In late October, a joint alert was issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the HHS warning of an imminent increase in ransomware activity targeting the healthcare sector. Within a week of the alert being issued, six healthcare providers reported ransomware attacks in a single day. More than a dozen healthcare organizations have reported being attacked in the past two months, with over 62 attacks reported by healthcare organizations so far in 2020.

Human-operated ransomware attacks have previously seen attackers gain access to networks many weeks and even months prior to the deployment of ransomware. ASPR notes that in many recent ransomware attacks, the time from the initial compromise to the deployment of ransomware has been very short, just a matter of days or even hours.

A long period between compromise and deployment gives victim organizations time to identify the compromise and take steps to eradicate the hackers from the network in time to prevent file encryption. The short duration makes this far more difficult.

“CISA, FBI, and HHS urge health delivery organizations and other HPH sector entities to work towards enduring and operationally sustainable protections against ransomware threats both now and in the future.”

A variety of techniques are now being used to deploy ransomware, including other malware variants such as TrickBot and BazarLoader, which are commonly delivered via phishing emails, as well as manual deployment after networks have been compromised by exploiting vulnerabilities.

Healthcare organizations should take steps to combat the ransomware threat by addressing the vulnerabilities that are exploited to gain access to healthcare networks. This includes conducting vulnerability scans to identify vulnerabilities before they are exploited and ensuring those vulnerabilities are addressed. Anti-spam and anti-phishing solutions should be implemented to block the email attack vector, and healthcare organizations should adopt a 3-2-1 backup approach to ensure files can be recovered in the event of an attack. The 3-2-1 approach involves 3 copies of backups, on two different media, with one copy stored securely off-site. The recent ransomware attack on Alamance Skin Center highlights the importance of this backup strategy. Patient information was permanently lost as a result of the attack when the ransom was not paid.

“Organizations should balance their operational needs with the current threat level and develop processes and postures for normal operating status and higher threat periods,” explained ASPR. “The threat from ransomware is ongoing and entities should develop effective deterrent procedures while maintaining effective care delivery.”

Indicators of Compromise (IoCs), suggested mitigations, and ransomware best practices are detailed in the October 28, 2020 CISA/FBI/HHS alert.

The post ASPR Provides Update on Ransomware Activity Targeting the Healthcare Sector appeared first on HIPAA Journal.

Nation State APT Groups Targeting Companies Involved in COVID-19 Research and Vaccine Development

Posted by HIPAA Journal

Advanced Persistent Threat (APT) groups in Russia and North Korea are targeting companies involved in research into COVID-19 and vaccine development, according to Microsoft. Six large pharmaceutical firms and a clinical research company are known to have been targeted by three APT groups who are attempting to gain access to research and vaccine data.

The cyberattacks have been on “pharmaceutical companies in Canada, France, India, South Korea and the United States,” according to Microsoft and three APT groups are known to be conducting attacks – the Russian APT group Strontium (aka Fancy Bear/APT28) and two APT groups with links to North Korea – The Lazarus Group (aka Zinc) and Cerium. Additionally, in the summer of 2020, warnings were issued by several government agencies about attacks on COVID-19 research firms by another Russian APT group, Cozy Bear (aka APT29).

The targeted organizations have contracts with or investments from governments to advance research into COVID-19 and vaccine development. Most of the targeted companies have developed vaccines which are currently in advanced clinical trials. One of the targeted companies has developed a COVID-19 test and the clinical research firm is involved in conducting COVID-19 vaccine trials. While the attacked companies were not named by Microsoft, cyberattacks have been reported by the Indian pharma firms Dr. Reddy’s and Lupin, and the U.S. biotech firm Moderna is known to have been attacked.

Microsoft reports that some of the attacks have been successful, although Microsoft did not say whether that means systems have been breached or if intellectual property and vaccine and research data were obtained.

The Russian Strontium group has favored brute force tactics to crack passwords for employee accounts, while the Lazarus group has been sending spear phishing emails to key employees to obtain passwords. One tactic used by the Lazarus group involves posing as recruiters and sending fake job descriptions. Cerium, which is believed to be a new North Korean hacking group, has also been using phishing emails to gain access to employee credentials. Its campaign involved impersonating the World Health Organization (WHO).

The motivation behind the attacks are clear. Research and vaccine data would give foreign countries a huge strategic advantage, with research and vaccine data potentially worth billions of dollars. These attacks appear to be solely concerned with data theft. The attacks so far do not appear to have been conducted to hamper efforts to conduct research or develop vaccines but there are many cybercriminal groups that are conducting destructive cyberattacks.

Healthcare organizations have faced a barrage of financially motivated cyberattacks by cybercriminals organizations using ransomware in recent months. Recently, CISA, the FBI, and HHS issued a joint advisory following an increase in targeted Ryuk ransomware attacks on healthcare organizations in the United States. The Ryuk and other ransomware gangs have also attacked healthcare organizations in France, Germany, Thailand, Spain, and the Czech Republic. The ransomware attack on a hospital in Germany resulted in the first known patient death due to a ransomware attack, and several attacks in the United States have resulted in major disruption and have forced hospitals to cancel elective procedures and reroute patients to alternative healthcare facilities.

Several industry groups are offering assistance to organizations in the healthcare sector such as the Health Sector Coordinating Council and Health-ISAC, and are providing indicators of compromise (IoCs) and detailed information on recent attacks to help organizations improve their defenses against cyberattacks and better defend their networks and data.

Microsoft has been taking an active role in attack prevention and has recently participated in the Paris Peace forum, a multi-stakeholder coalition working on combating these attacks, in particular to stop attacks on critical infrastructure from succeeding. Prior to the Paris Peace Forum, over 65 healthcare organizations joined the Paris Call for Trust and Security in Cyberspace. The Paris Call is largest multi-stakeholder coalition to date that addresses cybersecurity issues faced by the healthcare industry.

“Microsoft is calling on the world’s leaders to affirm that international law protects healthcare facilities and to take action to enforce the law,” said Tom Burt, Microsoft Vice President for Customer Security & Trust, in a Friday blog post. “We believe the law should be enforced not just when attacks originate from government agencies but also when they originate from criminal groups that governments enable to operate – or even facilitate – within their borders. This is criminal activity that cannot be tolerated.”

The post Nation State APT Groups Targeting Companies Involved in COVID-19 Research and Vaccine Development appeared first on HIPAA Journal.

Private Practitioner Pays $15,000 Penalty for HIPAA Right of Access Failure

Posted by HIPAA Journal

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its 11th financial penalty under its HIPAA Right of Access enforcement initiative. Dr. Rajendra Bhayani, a Regal Park, NY-based private practitioner specializing in otolaryngology has agreed to pay a financial penalty of $15,000 to settle the case and adopt a corrective action plan to address areas of noncompliance discovered by OCR during the investigation.

OCR launched an investigation after a complaint was received from a patient in September 2018 alleging Dr. Bhayani had failed to provider her with a copy of her medical records. The patient had sent a request to the otolaryngologist in July 2018, but two months later and the records had still not been provided.

OCR contacted Dr. Bhayani and provided technical assistance on the HIPAA Right of Access and closed the complaint; however, a second complaint was received from the patient a year after the first in July 2019 claiming she had still not been provided with her medical records. OCR intervened again and the records were eventually provided to the patient in September 2020, 26 months after the initial request. HIPAA requires medical records to be provided within 30 days of a request being received.

OCR determined the failure to provide the medical records was in violation of the requirements of the HIPAA Right of Access (45 C.F.R. § 164.524). Dr. Bhayani also failed to respond to letters sent by OCR on August 2, 2019 and October 22, 2019 requesting data. The failure to cooperate with OCR’s investigation of a complaint was in violation of 45 C.F.R. §160.310(b). OCR determined the violations warranted a financial penalty. Dr. Bhayani agreed to settle the case with no admission of liability.

“Doctor’s offices, large and small, must provide patients their medical records in a timely fashion.  We will continue to prioritize HIPAA Right of Access cases for enforcement until providers get the message,” said OCR Director Roger Severino.

The corrective action plan requires Dr. Bhayani to review and revise policies and procedures for providing individuals with access to their PHI in line with 45 C.F.R. § 164.524 and the policies must detail the methods used to calculate a reasonable, cost-based fee for providing access. Those policies must be submitted to OCR for review, and any changes requested by OCR must be implemented within 30 days. Dr. Bhayani is also required to provide privacy training to staff covering individual access to protected health information and the training materials must similarly be submitted to OCR for review and approval.

Every 90 days, Dr. Bhayani is required to send a list of all access requests to OCR, including the costs charged for dealing with the requests, along with details of any requests that have been denied. Any cases of staff members failing to comply with access requests must also be reported to OCR.

OCR will monitor Dr. Bhayani for two years from the date of the resolution agreement to ensure continued compliance with the HIPAA Right of Access.

The post Private Practitioner Pays $15,000 Penalty for HIPAA Right of Access Failure appeared first on HIPAA Journal.

Office for Civil Rights Announces 10th HIPAA Fine Under Right of Access Initiative

Posted by HIPAA Journal

The U.S. Department of Health and Human Services’ Office for Civil Rights has announced its 10th financial penalty under its HIPAA Right of Access enforcement initiative.

California-based Riverside Psychiatric Medical Group has agreed to pay a financial penalty of $25,000 to resolve a potential HIPAA Right of Access violation and will adopt a corrective action plan to ensure compliance with this important provision of the HIPAA Privacy Rule. The HHS will monitor Riverside Psychiatric Medical Group for 2 years to ensure continued compliance.

OCR launched an investigation following receipt of a complaint from a patient in March 2019 alleging Riverside Psychiatric Medical Group failed to provide a copy of her medical records after she had made several requests, with the first request made in February 2019.

OCR contacted Riverside Psychiatric Medical Group and provided technical assistance on how the practice could comply with the HIPAA Right of Access and the case was closed. A month later, in April 2019, a second complaint was received from the patient saying she had still not been provided with her medical records, despite OCR’s intervention.

OCR reopened the investigation and determined that Riverside Psychiatric Medical Group had potentially violated the HIPAA Right of Access after failing to take any action. Riverside Psychiatric Medical Group explained that the request for records included psychotherapy notes and, as such, the practice was not required to comply.

OCR explained that psychotherapy notes do not need to be provided to patients; however, in cases when requests are received, requestors must be provided with a written explanation as to why the requested records will not be provided, either entirely or in part and access should be provided to parts of medical records that do not include psychotherapy notes. Riverside Psychiatric Medical Group had not written to the patient to explain why the request had been denied.

After OCR’s second intervention, the patient was provided with a copy of her medical records in October 2019, as requested, minus the psychotherapy notes.

“When patients request copies of their health records, they must be given a timely response, not a run-around,” said OCR Director Roger Severino in a statement about the settlement.

The post Office for Civil Rights Announces 10th HIPAA Fine Under Right of Access Initiative appeared first on HIPAA Journal.

Wakefern Food Corporation Settles HIPAA Breach Case with NJ Attorney General for $235,000

Posted by HIPAA Journal

Wakefern Food Corporation has agreed to pay $235,000 in civil financial penalties to resolve allegations of violations of federal and state laws related to a data breach involving the protected health information of 9,700 customers of two ShopRite supermarkets in Millville, Cumberland County and Kingston, New York. In addition to the financial penalties, the settlement requires improvements to be made to data security practices.

Wakefern Food Corporation is the parent company of Union Lake Supermarket, LLC, which owns the Shoprite store in Millville and ShopRite Supermarkets, Inc., which owns the ShopRite store in Kingston, NY.

In 2016, Wakefern replaced electronic devices that were used to collect customer signatures and purchase information at the two locations. The old devices were disposed of in regular dumpsters without first destroying the devices or purging/clearing the stored data to ensure sensitive information could not be recovered. The devices contained the protected health information of 9,700 customers of the two stores including names, contact information, zip codes, driver’s license numbers, dates of birth, prescription numbers, prescription types, pickup and delivery dates.

After receiving reports about the improper disposal of ePHI, the New Jersey Division of Consumer Affairs launched an investigation and determined the disposal of the devices was in violation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and there had been multiple violations of the state’s fraud act. Staff at the stores had also not been provided with appropriate training on the handling and disposal of sensitive information.

“Pharmacies have a legal obligation to protect the privacy and security of the patient information they collect, and to properly dispose of that information when the time comes,” said New Jersey Attorney General Gurbir S. Grewal. “Those who compromise consumers’ private health information face serious consequences.”

Wakefern has agreed to pay $209,856.50 in civil penalties and $25,143.50 for reimbursement of attorneys’ fees and investigative costs and will implement protective measures to ensure future data branches are prevented. Those measures include appointing a chief privacy officer, executing a business associate agreement with ShopRite Supermarkets, Union Lake, and each of the members that operate pharmacies within the supermarkets, and ensuring appropriate measures are implemented to safeguard protected health information. Each of the ShopRite stores that has a pharmacy is required to appoint a HIPAA privacy officer and HIPAA security officer to oversee compliance and online training must be provided for those officers on their privacy and security roles.

“New Jersey consumers have a right to know that when they purchase a prescription medication at the neighborhood supermarket, their most private information will be fully protected under the law and not carelessly left to fall into the wrong hands,” said Paul R. Rodríguez, Acting Director of the Division of Consumer Affairs. “This settlement ensures that ShopRite supermarket pharmacies will be trained and monitored for HIPAA compliance to avoid future conduct that place consumers at risk for privacy invasion and identity theft.”

The post Wakefern Food Corporation Settles HIPAA Breach Case with NJ Attorney General for $235,000 appeared first on HIPAA Journal.

ONC Extends Deadline for Compliance with its Information Blocking and Interoperability Rule

Posted by HIPAA Journal

The deadline for compliance with the information blocking and health IT certification requirements of the 21st Century Cures Act has been extended due to the ongoing COVID-19 pandemic.

On October 29, 2020, the US Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health IT (ONC) announced the release of an interim final rule with comment period that extended the compliance dates and timeframes for meeting certain information blocking and Conditions and Maintenance of Certification (CoC/MoC) requirements.

The ONC’s Cures Act Final Rule, released on March 9, 2020, defined exceptions to the information blocking provision of the 21st Century Cures Act and adopted new Health IT certification requirements which, through the use of application programming interfaces (APIs), would enhance patients’ access to their own health data through their smartphones at no cost.

Compliance deadlines were set for 2020, but health IT stakeholders expressed concern about meeting the deadlines due to the COVID-19 pandemic. On April 21, 2020, ONC announced that it would be exercising enforcement discretion with respect to the compliance deadlines and provided a further three months after the initial compliance dates for meeting all of the new requirements under the ONC Health IT Certification Program.

Due to the ongoing COVID-19 pandemic, ONC has now provided the healthcare ecosystem with further flexibility and time to respond to the COVID-19 public health emergency and has further extended to the compliance deadlines outlined in its April 2020 enforcement discretion announcement.

“We are hearing that while there is strong support for advancing patient access and clinician coordination through the provisions in the final rule, stakeholders also must manage the needs being experienced during the current pandemic,” said Don Rucker, MD, national coordinator for health IT. “To be clear, ONC is not removing the requirements advancing patient access to their health information that are outlined in the Cures Act Final Rule. Rather, we are providing additional time to allow everyone in the health care ecosystem to focus on COVID-19 response”.

The new compliance deadlines are now as follows:

April 5, 2021

  • Information blocking provisions (45 CFR Part 171)
  • Information Blocking CoC/MoC requirements (§ 170.401)
  • Assurances CoC/MoC requirements (§ 170.402, except for § 170.402(b)(2) as it relates to § 170.315(b)(10))
  • API CoC/MoC requirement (§ 170.404(b)(4)) – compliance for current API criteria
  • Communications CoC/MoC requirements (§ 170.403) (except for § 170.403(b)(1) – where we removed the notice requirement for 2020)

December 31, 2022

  • 2015 Edition health IT certification criteria updates (except for § 170.315(b)(10) – EHI export, which is extended until December 31, 2023)
  • New standardized API functionality (§ 170.315(g)(10))

The deadline for submission of initial attestations (§ 170.406) and submission of initial plans and results of real world testing (§ 170.405(b)(1) and (2)) has been extended by one calendar year.

The post ONC Extends Deadline for Compliance with its Information Blocking and Interoperability Rule appeared first on HIPAA Journal.

Failure to Terminate Former Employee’s Access Rights Results in $202,000 HIPAA Fine for New Haven, CT

Posted by HIPAA Journal

The City of New Haven, Connecticut has agreed to pay a $202,400 financial penalty to the Department of Health and Human Services’ Office for Civil Rights to resolve a HIPAA violation case.

An OCR investigation was launched in May 2017 following receipt of a data breach notification from New Haven on January 24, 2017. OCR investigated whether the data breach was linked to potential violations of HIPAA Rules.

During the investigation, OCR discovered the New Haven Health Department had terminated an employee on July 27, 2016 during her probationary period. The former employee returned to the New Haven Heath Department on July 27, 2016 with her union representative and used her work key to access her old office, where she locked herself inside with her union representative.

While in her office, the former employee logged into her old computer using her username and password and copied information from her computer onto a USB drive. She also removed personal items and documents from the office, and then exited the premises. A file on the computer contained the protected health information of 498 patients, including names, addresses, dates of birth, race/ethnicity, gender, and sexually transmitted disease test results. That file was downloaded onto the USB drive. The actions of the former employee were witnessed by an intern.

OCR investigators also determined that the former employee had shared her login credentials with an intern, who continued to use those credentials to access PHI on the network after the employee had been terminated.

Had the New Haven Health Department deactivated the former employee’s login credentials at the time of her termination, a data breach would have been prevented. If all users had been given their own, unique login credentials, it would have been possible to accurately determine the system activity of each individual and identify their interactions with electronic protected health information.

OCR concluded that between December 1, 2014 to December 31, 2018, HIPAA Privacy Rule policies and procedures had not been implemented, New Haven had not implemented procedures for terminating access to ePHI when the employment of, or other arrangement with, a workforce member ends, and New Haven had failed to assign unique usernames and passwords to track user identity.

An accurate organization-wide risk assessment had not been performed to identify the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information and there had been an impermissible disclosure of the PHI of 498 individuals.

In addition to the financial penalty, the City of New Haven has agreed to adopt a corrective action plan to address all areas of noncompliance. OCR will monitor the City of New Haven for HIPAA compliance for two years from the date of the resolution agreement.

“Medical providers need to know who in their organization can access patient data at all times. When someone’s employment ends, so must their access to patient records,” said OCR Director Roger Severino.

The settlement is the 4th to be announced by OCR in October 2020, and the 15th HIPAA financial penalty of 2020.

The post Failure to Terminate Former Employee’s Access Rights Results in $202,000 HIPAA Fine for New Haven, CT appeared first on HIPAA Journal.

TigerConnect Survey Confirms Widespread Support for Telehealth Among Providers and Patients

Posted by HIPAA Journal

The coronavirus pandemic has resulted in a major increase in healthcare providers offering telehealth services to patients. Virtual visits are being offered to reduce the number of patients visiting hospitals and physician offices to limit transmission of the virus to ensure patient safety. The increase in use is out of necessity, but new research confirms telehealth services are popular with providers and patients alike.

TigerConnect, the provider of the most widely adopted communication platform in healthcare, recently commissioned a comprehensive Harris Poll survey to explore attitudes to telehealth among patients and healthcare providers. The survey was conducted on 2,039 U.S. adults aged 18 or older between July 23-27, 2020 and 500 healthcare clinicians between June and July 2020.

88% of healthcare providers who were already offering telehealth services to patients saw an increase in the use of telehealth services due to the coronavirus pandemic, with 71% of providers saying there was a large increase in use. It is understandable that so many providers and patients have embraced telehealth in order to reduce infection risk and prevent transmission of the virus, but even when the pandemic is over it is likely that use of telehealth services will continue at the same or even an increased level. Over two thirds of providers (71%) believe use of telehealth services will continue at the same or even a higher level when the pandemic is over.

There is also strong support for telehealth services among patients. 87% of patients who tried telehealth said they were satisfied with the experience, with 7 out of 10 patients saying it is important for providers to offer telehealth services to patients. Many patients appear to prefer virtual visits to in-person visits. Only 40% of patients said they prefer to meet their providers face to face.

Patients may be apprehensive about trying telehealth, but once they have their first virtual visit they are keen to go virtual again. Patients who have had one telehealth or video consultation in the past year were twice as likely to express a strong preference for a virtual visit over an in-person visit.

When patients were asked if there was anything about telehealth they did not like, almost half of patients could not think of a single criticism about their experience. The main advantages of telehealth among patients were convenience (50%), allowing appointments to be kept that may otherwise have been cancelled (36%), and the ease at which health check-ups could be scheduled (34%). 52% of patients said they believe telehealth was a safe alternative to an in-person office visit.

Boomers (Over 55s) and Gen Z (Under 24s) were the age groups least satisfied with telehealth. The most common complaint among Boomers was excessive complexity, while the most common complaint with Gen Z users was a lack of features, showing there is clearly further scope for refinement.

The survey on clinicians revealed there is a majorly fragmented market, with 140 different telehealth solutions in use. 14% of respondents said they are currently using multiple telehealth solutions. That may well change after the pandemic is over and the notice of enforcement discretion of the HHS’ Office for Civil Rights expires. The notice of enforcement discretion for telehealth services temporarily allowed telehealth solutions to be used that may not be fully compliant with HIPAA requirements.

65% of respondents said they were happy with their current telehealth solutions and almost 90% of users of the TigerConnect platform said they were happy with the TigerConnect platform.

The survey also revealed there is strong bipartisan support for telehealth, with 77% of Democrats and 66% of Republicans believing healthcare providers should offer telehealth services to patients. There are still some challenges to overcome to ensure that telehealth services are accessible to all. 53% of surveyed patients living in urban areas had utilized telehealth services compared to just 31% of patients in rural areas, which suggests there may be issues with broadband availability and cellular reception in rural areas which is limiting uptake.

“The people have spoken: telehealth is here to stay,” said TigerConnect CEO Brad Brooks. “The overnight move to telehealth is one of the fastest cultural shifts in healthcare in decades, and this research reveals it has already transformed the habits of millions of Americans who can now access great healthcare as easily as they can catch a ride to the airport. It’s up to our industry to seize this moment and ensure that it’s as easy as possible for anyone to access or administer world-class healthcare anywhere and anytime to improve health outcomes for all Americans.”

The post TigerConnect Survey Confirms Widespread Support for Telehealth Among Providers and Patients appeared first on HIPAA Journal.

Advisory Warns of Targeted Ryuk Ransomware Attacks on the Healthcare and Public Health Sector

Posted by HIPAA Journal

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) have issued an advisory warning about increased Ryuk ransomware activity targeting the healthcare and public health sector.

Credible evidence has been obtained indicating an increased and imminent threat to hospitals and healthcare providers in the United States. The advisory details some of the tactics, techniques, and procedures (TTPs) used by the operators of Ryuk ransomware and other cybercriminal groups who are assisting with the distribution of the ransomware to help the healthcare sector manage risk and protect their networks from attacks.

The advisory explains that Ryuk ransomware is commonly delivered as a secondary payload by the TrickBot Trojan. TrickBot is a banking Trojan that was first identified in 2016 that has since been updated with a host of new functions. In addition to stealing banking credentials, TrickBot is capable of mail exfiltration, cryptomining, data exfiltration from point of sale systems, and acts as a downloader of other malware variants, notably Ryuk ransomware.

In 2019, the FBI identified a new module had been added, named Anchor, which sends and receives data from victim machines using DNS tunneling, allowing communications with its command and control infrastructure to go undetected by many security solutions. The advisory provides indicators of compromise (IoCs) to help network defenders identify TrickBot infections.

Once Ryuk ransomware has been deployed, common off-the-shelf products such as Cobalt Strike and PowerShell Empire are used to steal credentials. “Both frameworks are very robust and are highly effective dual-purpose tools, allowing actors to dump clear text passwords or hash values from memory with the use of Mimikatz,” explained CISA in the alert. “This allows the actors to inject malicious dynamic-link library into memory with read, write, and execute permissions. In order to maintain persistence in the victim environment, Ryuk actors have been known to use scheduled tasks and service creation.”

The Ryuk threat actors use living-off-the-land techniques using tools such as net view, net computers, and ping to find mapped network shares, domain controllers, and active directory. Native tools such as PowerShell, Windows Management Instrumentation (WMI), Windows Remote Management, and Remote Desktop Protocol (RDP), are often used to move laterally through the network, along with third-party tools such as Bloodhound.

The attackers will identify and shut down security applications to prevent detection of the ransomware and may even manually remove certain security applications that would otherwise stop the ransomware from executing. Attempts are also made to delete backup files and Volume Shadow Copies to prevent victims from recovering their files without paying the ransom.

You can view the advisory, IoCs, and suggested mitigations on this link.

Ryuk Operators Transition to Malware as a Service Tool for Distributing Ransomware

While not detailed in the recent advisory, evidence has been found to indicate the operators of Ryuk ransomware are transitioning away from TrickBot and are now using a malware-as-a-service tool to deliver their ransomware payload.

Security firm Sophos has reported the Buer loader is now being used to deliver Ryuk ransomware. The Buer loader first started to be advertised on hacking forums in August 2019 to other malware operators for use in delivering malware and ransomware payloads. According to the Sophos researchers, the operators of TrickBot have been using the Buer loader for several months.

The Buer Loader is primarily distributed using phishing emails, often using malicious Word documents. Sophos notes that the Buer loader uses PowerShell commands to change settings on Windows devices to evade detection, including modifying the Windows Defender exclusion list. A dropper is used to deposit Buer in the memory and execute the loader, which downloads Ryuk ransomware.

While the Buer loader is being used for the initial compromise to gain a foothold in networks, the tactics used by the Ryuk operators once access to the network is gained remains the same.

The post Advisory Warns of Targeted Ryuk Ransomware Attacks on the Healthcare and Public Health Sector appeared first on HIPAA Journal.