What to do when Ransomware Activity Targeting the Healthcare Sector?

TrickBot

What began as a banking trojan and descendant of Dyre malware, TrickBot now provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. These activities include credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and the deployment of ransomware, such as Ryuk and Conti.

In early 2019, the FBI began to observe new TrickBot modules named Anchor, which cyber actors typically used in attacks targeting high-profile victims — such as large corporations. These attacks often involved data exfiltration from networks and point-of-sale devices. As part of the new Anchor toolset, TrickBot developers created anchor_dns, a tool for sending and receiving data from victim machines using Domain Name System (DNS) tunneling.

Source: https://us-cert.cisa.gov/ncas/alerts/aa20-302a

Here is the prescriptive plan if you have Threat Prevention solutions as part of your Check Point Security Gateway.

· IPS — turn on HTTPS inspection with MiTM and set the Optimized profile which prevents Medium and High level network and host based intrusions, pre and post infection.

· Application Control — Layer 7

· URL Filtering

· Threat Emulation

· Threat Extraction

· Basic Firewall

· Anti-Virus

· Anti-Bot