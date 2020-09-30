Experts provide insight below on the cyberattack that took place on Universal Health Services in the early hours of Sunday morning.
EXPERTS COMMENTS
Bindu Sundaresan, Director , AT&T Cybersecurity
September 30, 2020
These attacks are essentially a combination of a ransomware attack and a data breach.
If Universal Health Services has been targeted by Ryuk ransomware, it is worth noting how this ransomware has crippled both the public and private sectors. It is known for targeting enterprise organizations with the intention of demanding higher payments for the decryption key. Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source cod ....If Universal Health Services has been targeted by Ryuk ransomware, it is worth noting how this ransomware has crippled both the public and private sectors. It is known for targeting enterprise organizations with the intention of demanding higher payments for the decryption key. Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release. A commodity malware, Hermes has been observed for sale on forums and used by multiple threat actors. The ransomware will typically be dropped by an already compromised system that has been infected by Trickbot or Emotet through a phishing email. Once the Ryuk payload has been successfully dropped and executed, it will encrypt the system’s files and then demand a ransom fee in order to decrypt the victim’s data. Many ransomware attacks today have evolved to double extortion. Usually, the attacker would exfiltrate a copy of the data before encrypting them. This way, the attacker not only prevents the victim from accessing their data, but also keeps a copy of the data for themselves. In order to claim responsibility and pressure the victim during the negotiation process, the attacker will often release small portions of the data online. If the negotiation turns out badly, the attacker then publishes all of the exfiltrated data or sells them to third parties. These attacks are essentially a combination of a ransomware attack and a data breach. Organizations that are victims of this attack feel extremely helpless when hit by double extortion attacks because their compromised databases likely contain proprietary or secretive information that they would instead have destroyed then published or sold. So, it's a double threat. By releasing a small sample, it is easy for an attacker to imply they have your data, though very difficult to prove forensically because most organizations don’t have that layer of visibility. This puts on another pressure point, and if the impacted organization has implemented a Data Loss Prevention (DLP) solution, it can be easily validated that hackers have also downloaded the entire database. With that said, since this tactic is relatively new, there are no real data points for either the attacker or the defender that says it increases the payout potential of the victim.
