Some 20 medical facilities have reportedly been hit by a recent wave of ransomware, including the University of Vermont Medical Center. Today’s columnist, Craig Sanderson of Infoblox, offers security teams at medical facilities a strategy for combating ransomware. (Credit: University of Vermont Medical Center)

The medical community has been warned: On October 28, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Health and Human Services (HHS) published Ransomware Activity Targeting the Healthcare and Public Health Sector to alert the community that malicious actors are once again using the Ryuk ransomware against medical organizations.

The federal advisory’s analysis highlights how the anchor_dns tool at the core of the Ryuk campaign uses DNS as the control plane to execute PowerShell command scripts that lay at the heart of the attack. All security pros know that DNS serves as the main control plane by which most adversaries send commands to compromised machines as described in the MITRE ATT&CK framework. But more significantly, this campaign shows that adversaries are exploiting DNS for data exfiltration, which follows the path of other malware campaigns focused around retail point of sale campaigns. Organizations rarely focus on DNS, preferring to use next-generation firewalls and other security platforms to focus on HTTP and email. Anchor_dns avoids those platforms by focusing on DNS as a means to smuggle out data undetected, knowing that most traditional security platforms lack the means to differentiate between legitimate and malicious DNS requests.

Please register to continue.

Already registered? Log in.

Once you register, you'll receive:

  • News analysis

    The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.

  • Archives

    Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.

  • Daily Newswire

    SC Media’s essential morning briefing for cybersecurity professionals.

  • Learning Express

    One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.