Ryuk Operators Obtain Payment from DCH Health System

Delaware, USA – October 7, 2019 – Last week, three hospitals of the DCH Health System were attacked by the Ryuk gang and were forced to close the doors and accept only critical patients. The attack took place on October 1, and for several days IT personal with the help of law enforcement and independent IT security experts restored the systems from the remaining backups, but at the weekend the DCH Health System administration decided to pay a ransom to get a decryptor. Even with the decryptor, the restoration of the full working capacity of hospitals will still take much time, as adversaries managed to encrypt thousands of systems. How much the Ryuk gang demanded and how much of this amount the insurance will cover is not known. Attackers may have turned their attention to the healthcare sector after Sodinokibi ransomware took a cut after the successful attack on cloud management provider for Digital Dental Record, and the US Conference of Mayors adopted the resolution to no longer pay adversaries for decrypting files.

The Healthcare sector has long been in the sights of ransomware gangs, as the victim is at stake not only in financial and reputational losses but in patients’ lives and wellness too. In the past, the infamous SamSam group actively attacked hospitals, but now the healthcare sector has attracted the attention of ransomware scene sharks: Ryuk and Sodinokibi, and new large-scale attacks on organizations should be expected. You can use the free rules available on the Threat Detection Marketplace to detect Ryuk ransomware:
Ryuk Ransomware – https://tdm.socprime.com/tdm/info/2355/
Ryuk Ransomware Detector (Sysmon Behavior) – https://tdm.socprime.com/tdm/info/2298/
It is also recommended that you use the rule for Emotet malware detection to stop the attack before cybercriminals cause any damage: https://tdm.socprime.com/tdm/info/2417/