DHS Healthcare Bulletin on Ransomware Attacks Against Hospitals

The following bulletin was obtained from a regional hospital association's public website.

HSIN-HPH Bulletin: Ransomware (Locky variant)

Page Count: 2 pages
Date: April 5, 2016
Restriction: TLP: GREEN
Originating Organization: Department of Homeland Security
File Type: pdf
File Size: 330,967 bytes
File Hash (SHA-256): 6BA55F91BBB279B2EE9DB3EA9A4A9E8F9B8A6703B69260DD18294ECD0775AEFE

Download File

The Department of Homeland Security National Cybersecurity and Communications Integration Center (NCCIC) has notified the Department of Health and Human Services (HHS) of an increase in ransomware incidents at some healthcare organizations in the U.S. This Bulletin provides Healthcare and Public Health (HPH) Partners with information regarding ransomware, mitigation strategies, as well as additional materials to reference located within the HSIN HPH Cyber Threat Library.

Information in this bulletin was developed in coordination with and for the benefit of the HPH Sector Critical Infrastructure Protection (CIP) Partnership. The HPH CIP Partnership operates under the National Infrastructure Protection Plan and is coordinated within HHS by the Office of the Assistant Secretary for Preparedness and Response. The partnership is dedicated to joint public and private sector efforts to protect the HPH Sector from all hazards through information sharing and collaborative risk management.

Threat Details – Locky Ransomware variant

There is recent open source reporting that ties Locky Ransomware to the Dridex infrastructure. The malware seems to be most commonly delivered through mass phishing emails with malicious attachments. New discoveries suggest that recent Locky ransomware campaigns are using multiple types of attachments as the delivery mechanism. Unlike previous variants, some of these instances no longer depend on the user enabling document macros to begin the encryption process.

Similarly, once the user opens the attachment, Locky attempts to download the encryption payload, looks for file extensions on the hard drive, and encrypts them. The token ‘Ransom note image’ is displayed with this message to the user: “All of your files are encrypted with RSA-2048 and AES-128 ciphers. Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server”.

Below provides a list of recently discovered attachments along with their functionality:

JavaScript files that download and execute a malicious binary which performs the encryption.

.zip files which contain the malicious JavaScript files.

Microsoft Word documents that contain macros that automatically create and execute a malicious .vbs file. This .vbs file then downloads and executes a malicious binary which performs the encryption.

Indicators of Compromise (IOC)

The hash values, associated domains, and internet protocol addresses appear to be constantly changing and are therefore not reliable.


Guidance at this point mirrors the mitigation advice for most ransomware:

If IOCs are determined for a particular attack, monitor for other systems communicating with those IOCs. While IOCs change between attacks, observations indicate that individual emails associated with an attack share indicators.

Monitor for unexpected emails containing .doc, .js, and .zip files.

Monitor for the creation of malicious .js and .vbs files on file systems, particularly in users’ Application Data and Temp folders.

Patch applications to ensure antivirus, OS, and third party software products are up-to-date.

Do not open suspicious attachments or follow suspicious links.

Perform regular backups that are stored on non-network connected machines.

Share this: