Ryuk strikes again, this time outbreaking Virtual Care Provider Inc. (VCPI) IT company responsible for providing cloud data hosting, security and access management to more than 100 nursing homes across the United States, maintaining approximately 80,000 computers and servers. Ryuk keeps establishing its reputation as ransomware aiming for service providers mostly supplying cloud data services for other companies. The damage is extensive and crucial medical records access is prevented, leading to severe difficulties in supplying adequate medical treatment.
The Ryuk attack was launched on November 17 encrypting all data VPCI hosts and demanding a devastating ransom of 14 million dollars in exchange for the key needed to decrypt the data. VCPI owner, Karen Christianson, reported in an interview with KerbeOnSecurity that the company can't afford to pay the ransom, and their main efforts are now invested in trying to restore their costumer's access to their medical records. All this combined with the fact that the company itself is trying to recover from the loss of functionalities such as making payrolls.
At the moment, some of VPCI costumers can't get drugs and perform billing, which means that if not sorted soon, those facilities will have to close their doors. Those are extremely bad news for all of those nursery costumers, but most of all, to the seniors that don't have anywhere else to go.
This is a perfect example of how cyber attacks can directly influence on human life. Ryuk attacks are starting to be way too common. Most companies affected by Ryuk are compromised for months or even years before the attacker leverages their ability to map out the targeted company network and intrude key resources and backups. The initial infection is usually by a phishing campaign that's used for downloading additional malware such as Trickbot and Emotet. After the system gets infected, the misconfigured Active Directory is the key component that allows the intruders to get to sensitive data and create real damage. In fact, this attack was completely preventable until the ransomware was deployed if only the company was looking for signs of an intrusion.
The best way to protect your organization is by ensuring proper network segmentation and monitoring changes in servers' configuration. According to Koester, every NVA hospital runs its IT operations in its own way, so there is no control on the IT security habits in the organization.
Network segmentation is a basic tactic for protecting your IT network against malware. To ensure you don't lose your drives and resources when a single endpoint gets infected, segment the access to certain servers and files. Delegate the minimal privileges possible to the admins, allowing them to only do what they need for their functionality.
In a branched organization, most often local Admins have privileges in servers' configuration settings, making it hard for management to keep track of changes being made. By monitoring your servers' configuration changes you can track suspicious changes and recognize hostile activities in your IT infrastructure.
VCPI's CEO said they're planning in documenting and publishing everything they are going through the moment they won't be under an attack. For now they are focusing on getting the attack under control.