Skip to content
twinstate technologies managed services blog wave
Evan ClarkNov 2, 2020 9:32:18 AM4 min read

What is Ryuk? The New Ransomware Targeting Hospitals

Healthcare providers across the United States are facing "an increased and imminent cybercrime threat," according to an alarming report from CISA, FBI, and HHS. The threat comes in the form a new strain of ransomware, Ryuk, that is targeting hospitals and healthcare providers specifically. Ryuk is more aggressive and persistent than past strains of ransomware. Previous strains such as SamSam ransomware (responsible for the Atlanta ransomware attack) wreaked havoc on organizations but Ryuk is inflicting even more damage.

All organizations should protect themselves from ransomware, but today it is critical for healthcare providers to get protected from Ryuk. Ryuk is different from  other viruses in that it not only encrypts its victim's information, this ransomware takes the additional step of exfiltrating data to the hackers, compromising confidential information. This exfiltrated data can be used for blackmail or to demand further ransom payments. This is of grave concern to organizations that transmit and store sensitive information such as patient health records, student PII, payment info, and intellectual property.

Firewall Best Practices to Block Ransomware

How Does Ryuk Work? 

Hackers infiltrate their victim’s network through a weak Remote Desktop Protocol (RDP) password or phishing. 

SNL Kanye West Passcode GIF

Remote Desktop Protocol, for those who don't use it, basically mirrors the screen and keyboard of one computer (your local PC) on to a computer at another remote location. When you move the mouse from the remote location, it moves on your local PC. Pop up a software dialog on the remote system and the screen updates happen on your local desktop. It’s almost as good as being right there.

Many of the millions of RDP servers connected to the internet are protected by no more than a password, and most of those passwords are easy enough to be guessed. Leaving RDP open to the internet with a weak password is therefore a little bit like giving the anyone world a seat in the corner of your server room

RDP password guessing shouldn’t be a problem – it isn’t new, and it isn’t sophisticated – and yet there's a criminal ecosystem that thrives on it.

Next, they escalate their privileges to the admin level. 

hacker having fun GIF

With their privileges escalated to the administrative levels the attackers use RDP to connect to the domain controller with their admin credentials. They drop a folder on the domain controller, wait a few hours, and run a PowerShell code to set the attack in motion. For the security geeks out there, the attackers conceal their malicious traffic using a SOCKS5 proxy called System BC.

With their new privileges the hackers can overcome security software and disseminate the ransomware as far as possible before encrypting victims files. 

Lisa Simpson sharing her spoils GIF

The malware spreads and scans the network, identifying which systems are active and checking what anti-virus software is running on the system. Files are then exfiltrated, downloaded by the hackers, and encrypted making them unreadable and unusable to any user.

Finally, the attackers leave ransom notes demanding payment to decrypt the victim's files. 

Austin Powers One Million Dollars ransom GIF

Ryuk racked up $61 million in ransom payments in 2019 alone according to the FBI. The malware can inflict so much damage that victims often have no option but to pay the requested ransom which averages between $50,000 -$170,000. And that's just to start. The costs associated with a full ransomware recovery can easily spiral into the millions. In many cases, the price of the ransom may be the least expensive cost you incur to recover.

Ryuk Prevention and Ransom Payments 

Currently, the attackers are specifically targeting healthcare providers. However, that doesn't mean Ryuk only matters to hospitals. Since 2018 the perpetrators behind Ryuk have targeted any victims who can pay large sums. Reports reveal a list of victims in sectors like finance, commodities, manufacturing, government entities, and healthcare. 

Unfortunately, some companies have had to pay multiple ransoms after being infected by Ryuk -- once to decrypt their data and regain access to it, and a second time to prevent the hackers from leaking the stolen information. Ransomware is not going away. In fact, Ryuk demonstrates that it is rapidly evolving and developing greater abilities to infiltrate networks and inflict massive amounts of damage.  To prevent Ryuk, organizations need greater abilities from their cybersecurity including endpoint protection with anti-ransomware security.

It doesn't matter what industry you're in or where you're located. Any organization can be a victim of Ryuk ransomware. The need for protection has never been higher. Twinstate Technologies provides the and anti-ransomware technologies need to protect businesses in Albany, NY, Burlington, VT, Concord, NH, Aurora, CO, and throughout the United States.

Twinstate can walk you through best practices that will put you in strong position to defend your patient health data from ransomware. If you have any questions, comments, or feedback reach out to us at