As an update to the recent post, Educational Institutions Worldwide Are Experiencing a Spike in Ransomware Attacks, please be advised that the FBI and DHS (U.S. Department of Homeland Security) have issued a joint advisory, stating that Ryuk, a Russian cyber criminal gang, is preparing to release ransomware targeting those in the healthcare sector. We anticipate possible impacts in other sectors and are sharing the following information:
Ransomware is malware that will encrypt all files on a device and connected systems, and is commonly deployed via malicious links and attachments in phishing messages. To protect yourself from the threats posed by this type of malware, you should:
- Regularly backup systems/devices so you can restore from back-ups if infected.
- Update/patch devices/systems regularly (on a trusted network), as updates address known vulnerabilities.
- Use antivirus/malware protection software, which will protect you from known threats. Use of antivirus/malware protections is required for all desktops and laptops connecting to NYU-NET. For information on NYU sponsored antivirus/malware protection, please visit www/nyu.edu/it/antivirus.
- Avoid clicking on any unexpected links or attachments.
- Only download from trusted sources (Appleās App store or Google Play) on a trusted network.
IoCs (indicators of compromise) have not been identified for Ryuk ransomware because the malware infrastructure tends to be unique for each victim. However Mandiant has released the following list of domains and internet addresses used by Ryuk in previous attacks this year, and IoCs exist for the Trickbot trojan, which can deliver Ryuk ransomware. For more information on Trickbot IoCs, please see the above-referenced joint advisory.
If you have a ransom message displaying on your screen or your files extensions have begun to change, immediately disconnect from connected systems (if possible), power off your device, and contact your local IT admin and security@nyu.edu.
Additional Resources:
- SANS Webcast: Spooky RYUKy: The Return of UNC1878
- https://krebsonsecurity.com/2020/10/fbi-dhs-hhs-warn-of-imminent-credible-ransomware-threat-against-u-s-hospitals/
- https://www.washingtonpost.com/national-security/hospitals-being-hit-in-coordinated-targeted-ransomware-attack-from-russian-speaking-criminals/2020/10/28/e6e48c38-196e-11eb-befb-8864259bd2d8_story.html
- https://wp.nyu.edu/itsecurity/2020/01/27/emotet-trickbot-malware-being-delivered-via-phishing-messages-worldwide/