top of page

Security Advisory for Ryuk Ransomware

For more information on Healthcare Security Specifically, please click HERE or see our Healthcare page on the Compliance drop-down.

The Cybersecurity & Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and Department of Health and Human Services (HHS) have released a new advisory on October 28th, for Ransomware activity that is targeting the Healthcare and Public Health Sector. The advisory discusses the tactics, techniques, and procedures (TTPs) used by the malicious threat actors who are targeting the Healthcare and Public Health Sector. The advisory also states the malicious actors are using Trickbot malware, which often leads to ransomware attacks (in this case the Ryuk ransomware), data theft, and the disruption of healthcare services. 

TrickBot Malware

In early 2019, the FBI began observing new Tickbot variants named “Anchor” which is typically used in targeting high-profile victims. These attacks often involved data exfiltration from networks and point-of-sale devices. The new Anchor toolset involves a tool named “Anchor_DNS”. This tool is used for sending and receiving data from victim machines using DNS tunneling. Anchor_DNS is a backdoor that allows victim machines to communicate with command and control (C2) servers over DNS to evade security tools, by making their malicious communications blend with legitimate DNS traffic. Anchor_DNS uses a single-byte XOR cipher to encrypt its communications. This has been observed using the key “0xB9”.  


Indicators of Compromise

After successful execution of the Trickbot malware, Trickbot will copy itself as an executable with a random 12 character .exe file, and then place it in one of the following directories:  

  • C:\Windows\ 

  • C:\Windows\SysWOW64\ 

  • C:\Users\[Username]\AppData\Roaming\

Trickbot will also drop a file named “anchorDigag.txt” in one of the above directories. During the initial network communications, Trickbot will send information about the victims machine such as the hostname, IP address, OS version, and GUID.  

The malware uses scheduled tasks that run every 15 minutes to continue persistence on the victim machine. This will be a random folder in %APPDATA% and will have ‘autoupdate’ followed by 5 random numbers. An example of this is: “Task autoupdate#19203”.  

After successful execution, Anchor_DNS further deploys malicious batch scripts (.bat) using powershell commands. The purpose of this is to try and hide the malwares tracks by self-deleting the Trickbot malware from the system.  

The following domains found in outbound DNS records are associated with Anchor_DNS:  

  • kostunivo[.]com 

  • chishir[.]com 

  • mangoclone[.]com 

  • onixcellent[.]com 


This malware used the following legitimate domains to test internet connectivity.  

  • ipecho[.]net 

  • api[.]ipify[.]org 

  • checkip[.]amazonaws[.]com 

  • ip[.]anysrc[.]net 

  • wtfismyip[.]com 

  • ipinfo[.]io 

  • icanhazip[.]com 

  • myexternalip[.]com 

The Anchor_DNS malware historically used the following C2 servers.  

  • 23[.]95[.]97[.]59 

  • 51[.]254[.]25[.]115 

  • 193[.]183[.]98[.]66 

  • 91[.]217[.]137[.]37 

  • 87[.]98[.]175[.]85 


Ryuk Ransomware

Typically, Ryuk has been deployed as a payload from banking Trojans such as Trickbot. While negotiating the victim network, Ryuk actors will commonly use commercial off-the-shelf products—such as Cobalt Strike and PowerShell Empire—in order to steal credentials. In order to maintain persistence in the victim environment, Ryuk actors have been known to use scheduled tasks and service creation. 

Ryuk actors will quickly map the network in order to enumerate the environment to understand the scope of the infection. In order to limit suspicious activity and possible detection, the actors choose to live off the land and, if possible, use native tools—such as net view, net computers, and ping—to locate mapped network shares, domain controllers, and active directory. 

In order to move laterally throughout the network, the group relies on native tools, such as PowerShell, Windows Management Instrumentation (WMI), Windows Remote Management, and Remote Desktop Protocol (RDP). The group also uses third-party tools, such as Bloodhound.  

Once dropped, Ryuk uses AES-256 to encrypt files and an RSA public key to encrypt the AES key. The Ryuk dropper drops a .bat file that attempts to delete all backup files and Volume Shadow Copies (automatic backup snapshots made by Windows), preventing the victim from recovering encrypted files without the decryption program. In addition, the attackers will attempt to shut down or uninstall security applications on the victim systems that might prevent the ransomware from executing. 

The Ryuk ransomware will also place a file named RyukReadMe on the system after the ransomware has executed. This is the ransom note which will provide details on how to contact the attackers to pay the ransom.  



  • The CISA had recommended Health organizations maintain, review, practice, and update (if necessary) their business continuity plans. Evaluating continuity and capability will help identify continuity gaps. Through identifying and addressing these gaps, organizations can establish a viable continuity program that will help keep them functioning during cyberattacks or other emergencies. 

  • Ensure you have an Incident Response Plan that is updated and has been practiced. The Incident Response Plan will be useful in the event of a compromise.  

  • System administrators who have indicators of a Trickbot network compromise should immediately take steps to back up and secure sensitive or proprietary data. Trickbot infections may be indicators of an imminent ransomware attack; system administrators should take steps to secure network devices accordingly. Upon evidence of a Trickbot infection, review DNS logs and use the XOR key of 0xB9 to decode XOR encoded DNS requests to reveal the presence of Anchor_DNS, and maintain and provide relevant logs. 

  • Focus on awareness and training. Because end users are targeted, make employees and stakeholders aware of the threats—such as ransomware and phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities. 

  • Ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be employed quickly and efficiently. 


Best Practices

  • Patch operating systems, software, and firmware as soon as manufacturers release updates. 

  • Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts. 

  • Use multi-factor authentication where possible.  

  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs. 

  • Implement application and remote access allow listing to only allow systems to execute programs known and permitted by the established security policy. 

  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind. 

  • Audit logs to ensure new accounts are legitimate. 

  • Scan for open or listening ports and mediate those that are not needed. 

  • Identify critical assets; create backups of these systems and house the backups offline from the network. 

  • Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment. 

  • Set antivirus and anti-malware solutions to automatically update; conduct regular scans. 

  • Regularly back up data, air gap, and password protect backup copies offline.  

  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location. 

  • It is critical to maintain offline, encrypted backups of data and to regularly test your backups. Backup procedures should be conducted on a regular basis. It is important that backups be maintained offline or in separated networks as many ransomware variants attempt to find and delete any accessible backups. Maintaining offline, current backups is most critical because there is no need to pay a ransom for data that is readily accessible to your organization. 



For more information, please see the following:  

If you have any questions or concerns regarding this, please reach out to us directly at 716-600-3724 Ex 2 to talk to our SOC staff directly

bottom of page