In September, hundreds of health care centers operated by the Universal Health Services network were hit by Ryuk ransomware. In October, the University of Vermont Health Network announced it had been forced to revert to using paper records due to an attack with the same malware. The Sky Lakes Medical Center in Oregon, the St. Lawrence Health System in New York, and the Dickingson County Healthcare System in Michigan and Wisconsin all confirmed they had fallen victim to Ryuk as well, interfering with their ability to provide patient care and forcing them to fall back on manual work-arounds as they lost access to their digital systems. At the heart these attacks was one particularly malicious bit of code—the Ryuk ransomware—and a campaign of phishing emails containing links to Google Drive documents that, once opened and enabled, would deliver Ryuk to the victims’ computers. While the Ryuk ransomware is not hosted in Google documents, the documents are used to direct viewers to download the malware from another source by tricking them into believing they are just “enabling” content in the Google Drive document. But when they click to enable that content they end up downloading the malware.
Since many ransomware victims don’t publicize or confirm these attacks, it can be hard to assess exactly how much damage Ryuk has caused, but one recent estimate suggested that it was responsible for one-third of all ransomware attacks so far this year. Despite extensive efforts to undermine the Ryuk distribution infrastructure, the combination of phishing emails and infected Google Drive documents has enabled cybercriminals to continue spreading the malware unabated. It’s a warning that we need to be much more cautious around Google docs, and also a reminder of just how easily criminals can pivot in their distribution methods when one pathway is cut off for them.
On Oct. 12, Microsoft announced that it had obtained a court order and taken measures to shut down Trickbot, a botnet comprised of thousands of infected computers used to distribute the Ryuk strain of ransomware, among other malicious activities. No one expected the take down to permanently stop the criminals spreading Ryuk, but it was the kind of coordinated, large-scale operation that might have been reasonably expected to at least significantly delay the criminals who relied on Trickbot, forcing them to rebuild fairly extensive infrastructure for distributing malware.
And yet, barely more than two weeks after Microsoft’s announcement, on Oct. 28, the FBI, the Department of Health and Human Services, and Department of Homeland Security issued a joint cybersecurity advisory warning that the criminals behind Ryuk and Trickbot were operating more aggressively than ever, targeting hospitals and other health care organizations with Ryuk and Conti strains of ransomware. It was a devastating reminder not just of how vulnerable hospitals computer networks are during the Covid-19 pandemic, but also of how resilient cybercrime organizations to even the most carefully planned and executed countermeasures, like the Trickbot takedown.
An October analysis from security firm Sophos analyzes in detail the ways that the Ryuk operators shifted their tactics away from Trickbot. Increasingly, Sophos pointed out, Ryuk seemed to be relying on infected Google Drive documents to deliver their initial malware. In a targeted phishing email sent in September, for instance, the attackers sent employees at a company messages with a link to a Google document, supposedly a financial statement. According to the government’s advisory, “This document usually references a failure to create a preview of the document and contains a link to a URL hosting a malware payload in the form of a misnamed or multiple extension file.”
The Sophos report on Ryuk makes clear just how much of an uphill battle preventing these emails from being opened is. Even though all of the email defenses implemented by the company they looked at were working as expected, it was still not enough, Sophos found.
“The email was tagged with external sender warnings by the company’s mail software. And multiple instances of the malicious attachment were detected and blocked,” according to the firm’s analysis. “But one employee clicked on the link in the email that afternoon. The user opened the document and enabled its content, allowing the document to execute print_document.exe—a malicious executable identified as Buer Loader.”
There were so many safeguards in place—the external sender warnings, the deactivation of the Google document’s content—and still, just one recipient willing to ignore those warning signs can be enough to undo all those layers of protection.
Buer Loader, the malicious code that the infected Google doc executed, is what’s known as a “malware-as-a-service downloader”—in other words, just as you can now buy “software-as-a-service” (e.g., an ongoing subscription to software), so, too, can criminals purchase malware in the same fashion, outsourcing the work of finding new vulnerabilities and writing code to exploit them. (According to Sophos, Buer Loader sold for $350, “with add-on modules and download address target changes billed separately.”) This malware-as-a-service model is part of what enables criminals to adapt so quickly to takedowns and software patches by simply purchasing a new product, but it’s also a potential vulnerability for those same criminals.
Part of the point of ransomware is that it helps cybercriminals avoid online black market forums where they would have to sell stolen data like payment card numbers or social security numbers. Many of those forums are well known to law enforcement and have been used to identify, and in some cases even arrest, the perpetrators of large-scale data breaches. Selling stolen data on the black market is traditionally a weak point of cybercriminals’ business model, but ransomware lets them get around that—they’re asking for payment directly from victims. Buying malware-as-a-service, however, could potentially bring these criminal groups back into the orbit of these black market online forums and thereby create another opportunity for law enforcement to track them and their tools.
It might also be possible to find creative ways to crack down on criminals’ use of Google docs in this latest distribution scheme—not just by warning people about links to Google docs in emails, but also potentially by restricting emails that contain links to Google drive-hosted files. But it’s hard not to feel, given Ryuk’s quick pivot away from Trickbot, that any such solutions are likely to be frustratingly short-lived.
Nov. 3, 2020: This article was updated to clarify the role a Google Doc plays in spreading the malware.