While doing some open-source intelligence (OSINT), a security researcher discovered that a provider of end-to-end solutions for emergency care facilities in the U.S. fell victim to Ryuk ransomware.
The company hit by the malware is T-System based in Dallas, Texas, and it is currently working to recover from the attack. At the moment of writing, company systems are offline.
The attack occurred at the end of November, a month that has seen multiple incidents related to this particular strain of file-encrypting malware, most of them being in Spain.
Urgent care solutions provider falls to Ryuk
Security researcher Germán Fernández from CronUp was doing OSINT for Ryuk indicators and found that many of the platforms managed by T-System were down, suggesting that the recovery from the incident is in full swing.
By the looks of it, the ransomware infection spread to public segments such as DMZ, extranet, and helpdesk, Fernández told BleepingComputer.
A screenshot of the company site index caught by the researcher shows that files were added the .RYK extension specific to Ryuk as well as the ransom note in HTML.
As expected from this ransomware, the note offers the minimum information the victim needs to contact the attacker to learn how much they have to pay for the decryption key.
It also includes the phrase “balance of shadow universe,” which indicates that the Ryuk sample used in the attack is a recent one, discovered by MalwareHunterTeam in June.
The contact email address provided in the note for getting payment instructions is “[email protected]” T-System has not announced the attack.
According to information on its website, the company provides services “for more than 1,900 emergency care facilities and counting,” and boasts that “more than 40 percent of the nation’s hospitals rely on T-System.”
This is not the only U.S. entity hit by Ryuk in November. At the beginning of the month, the malware encrypted data from the Lincoln School District, an attack that was reported at the time.
Ryuk hits Spanish companies
According to some reports, Ryuk is responsible for the attack against Cadena SER (Sociedad Española de Radiodifusión), Spain’s largest radio station, at the beginning of November. Evidence of this is lacking in public reports, though.
Using OSINT, Fernández found another Ryuk incident that happened around the same period. The target was TECNOL, a manufacturer of products for waterproofing, insulating, cleaning, biotechnology, and more.
The researcher found that Ryuk encrypted data from the company on November 1, the date when the ransom note was also dropped.
ASD Audit, a provider of software for financial auditing and analysis, is another Ryuk victim Fernández discovered during his research.
Finding Ryuk-encrypted data from this company was possible by querying public search engines, as shown in the image below.
The date of the ransom note from the ASD Audit incident was from early September. It had the same marks of the recently discovered Ryuk sample and the email addresses provided were “[email protected]” and “[email protected],” accompanied by the same mysterious phrase.
A Ryuk ransom note was created on the same date on the systems of Imperdeco, another Spanish company based in Menorca and offering solutions for construction, protection, and decoration of buildings.
On November 27, Prosegur private security company offering manned guarding, logistics, and alarms services, shut down its systems to prevent Ryuk from spreading to internal and external hosts.
Six days after acknowledging the attack and the malware used by the cybercriminals, some sources say that the company was still dealing with the after-effects of the incidents.
Some customers complained that they were not able to connect the alarm because the app was down; they also had trouble checking if the alarm was armed or not. They were cut from the service for at least four days.
In some cases, the security systems sent off the images from protected properties with huge delays, sometimes taking hours to do it. Under normal circumstances, this would happen immediately.
Customers fear that burglary attempts would increase when word comes out that Prosegur alarms are failing.
Indeed, customer service confirmed that on the day of the Ryuk attack there was no robbery reported, but this changed the next day.