{
	"id": "35439adc-cb7d-4185-b206-15d4995e025a",
	"created_at": "2026-04-06T03:37:11.760633Z",
	"updated_at": "2026-04-10T03:21:19.448408Z",
	"deleted_at": null,
	"sha1_hash": "b1ab1e71e222d8aa19e11d8bfb0ab5de4e1dc392",
	"title": "Ransomware Activity Targeting the Healthcare and Public Health Sector | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 230055,
	"plain_text": "Ransomware Activity Targeting the Healthcare and Public Health\r\nSector | CISA\r\nPublished: 2020-11-02 · Archived: 2026-04-06 03:24:44 UTC\r\nSummary\r\nThis advisory was updated to include information on Conti, TrickBot, and BazarLoader, including new IOCs\r\nand Yara Rules for detection.\r\nThis advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT\u0026CK®) version 7\r\nframework. See the ATT\u0026CK for Enterprise version 7 for all referenced threat actor tactics and techniques.\r\nThis joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency\r\n(CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS).\r\nThis advisory describes the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in\r\nthe Healthcare and Public Health (HPH) Sector to infect systems with ransomware, notably Ryuk and Conti, for\r\nfinancial gain.\r\nCISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals\r\nand healthcare providers. CISA, FBI, and HHS are sharing this information to provide warning to healthcare\r\nproviders to ensure that they take timely and reasonable precautions to protect their networks from these threats.\r\nClick here for a PDF version of this report.\r\nKey Findings\r\nCISA, FBI, and HHS assess malicious cyber actors are targeting the HPH Sector with TrickBot and\r\nBazarLoader malware, often leading to ransomware attacks, data theft, and the disruption of healthcare\r\nservices.\r\nThese issues will be particularly challenging for organizations within the COVID-19 pandemic; therefore,\r\nadministrators will need to balance this risk when determining their cybersecurity investments.\r\nTechnical Details\r\nThreat Details\r\nThe cybercriminal enterprise behind TrickBot, which is likely also the creator of BazarLoader malware, has\r\ncontinued to develop new functionality and tools, increasing the ease, speed, and profitability of victimization.\r\nThese threat actors increasingly use loaders—like TrickBot and BazarLoader (or BazarBackdoor)—as part of their\r\nmalicious cyber campaigns. Cybercriminals disseminate TrickBot and BazarLoader via phishing campaigns that\r\ncontain either links to malicious websites that host the malware or attachments with the malware. Loaders start the\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-302a\r\nPage 1 of 19\n\ninfection chain by distributing the payload; they deploy and execute the backdoor from the command and control\r\n(C2) server and install it on the victim’s machine.\r\nTrickBot\r\nWhat began as a banking trojan and descendant of Dyre malware, TrickBot now provides its operators a full suite\r\nof tools to conduct a myriad of illegal cyber activities. These activities include credential harvesting, mail\r\nexfiltration, cryptomining, point-of-sale data exfiltration, and the deployment of ransomware, such as Ryuk and\r\nConti.\r\nIn early 2019, the FBI began to observe new TrickBot modules named Anchor, which cyber actors typically used\r\nin attacks targeting high-profile victims—such as large corporations. These attacks often involved data exfiltration\r\nfrom networks and point-of-sale devices. As part of the new Anchor toolset, TrickBot developers created\r\nanchor_dns , a tool for sending and receiving data from victim machines using Domain Name System (DNS)\r\ntunneling.\r\nanchor_dns is a backdoor that allows victim machines to communicate with C2 servers over DNS to evade\r\ntypical network defense products and make their malicious communications blend in with legitimate DNS traffic.\r\nanchor_dns uses a single-byte XOR cipher to encrypt its communications, which have been observed using key\r\n0xB9 . Once decrypted, the string anchor_dns can be found in the DNS request traffic.\r\nTrickBot Indicators of Compromise\r\nAfter successful execution of the malware, TrickBot copies itself as an executable file with a 12-\r\ncharacter randomly generated file name (e.g. mfjdieks.exe ) and places this file in one of the following\r\ndirectories.\r\nC:\\Windows\\\r\nC:\\Windows\\SysWOW64\\\r\nC:\\Users\\[Username]\\AppData\\Roaming\\\r\nOnce the executable is running and successful in establishing communication with C2s, the executable places\r\nappropriate modules downloaded from C2s for the infected processor architecture type (32 or 64 bit instruction\r\nset), to the infected host’s %APPDATA% or %PROGRAMDATA% directory, such as %AppData\\Roaming\\winapp . Some\r\ncommonly named plugins that are created in a Modules subdirectory are (the detected architecture is appended to\r\nthe module filename, e.g., importDll32 or importDll64 ):\r\nSysteminfo\r\nimportDll\r\noutlookDll\r\ninjectDll with a directory (ex. injectDLL64_configs ) containing configuration files:\r\ndinj\r\nsinj\r\ndpost\r\nmailsearcher with a directory (ex. mailsearcher64_configs ) containing configuration file:\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-302a\r\nPage 2 of 19\n\nmailconf\r\nnetworkDll with a directory (ex. networkDll64_configs) containing configuration file:\r\ndpost\r\nwormDll\r\ntabDll\r\nshareDll\r\nFilename client_id or data or FAQ with the assigned bot ID of the compromised system is created in the\r\nmalware directory. Filename group_tag or Readme.md containing the TrickBot campaign IDs is created in the\r\nmalware directory.\r\nThe malware may also drop a file named anchorDiag.txt in one of the directories listed above.\r\nPart of the initial network communications with the C2 server involves sending information about the victim\r\nmachine such as its computer name/hostname, operating system version, and build via a base64-encoded GUID .\r\nThe GUID is composed of /GroupID/ClientID/ with the following naming convention:\r\n/anchor_dns/[COMPUTERNAME]_[WindowsVersionBuildNo].[32CharacterString]/ .\r\nThe malware uses scheduled tasks that run every 15 minutes to ensure persistence on the victim machine. The\r\nscheduled task typically uses the following naming convention.\r\n[random_folder_name_in_%APPDATA%_excluding_Microsoft]\r\nautoupdate#[5_random_numbers] (e.g., Task autoupdate#16876) .\r\nAfter successful execution, anchor_dns further deploys malicious batch scripts ( .bat ) using PowerShell\r\ncommands.\r\nThe malware deploys self-deletion techniques by executing the following commands.\r\ncmd.exe /c timeout 3 \u0026\u0026 del C:\\Users\\[username]\\[malware_sample]\r\ncmd.exe /C PowerShell \\\"Start-Sleep 3; Remove-Item C:\\Users\\[username]\\\r\n[malware_sample_location]\\\"\r\nThe following domains found in outbound DNS records are associated with anchor_dns .\r\nkostunivo[.]com\r\nchishir[.]com\r\nmangoclone[.]com\r\nonixcellent[.]com\r\nThis malware used the following legitimate domains to test internet connectivity.\r\nipecho[.]net\r\napi[.]ipify[.]org\r\ncheckip[.]amazonaws[.]com\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-302a\r\nPage 3 of 19\n\nip[.]anysrc[.]net\r\nwtfismyip[.]com\r\nipinfo[.]io\r\nicanhazip[.]com\r\nmyexternalip[.]com\r\nident[.]me\r\nCurrently, there is an open-source tracker for TrickBot C2 servers located at\r\nhttps://feodotracker.abuse.ch/browse/trickbot/ .\r\nThe anchor_dns malware historically used the following C2 servers.\r\n23[.]95[.]97[.]59\r\n51[.]254[.]25[.]115\r\n193[.]183[.]98[.]66\r\n91[.]217[.]137[.]37\r\n87[.]98[.]175[.]85\r\nTrickBot YARA Rules\r\nrule anchor_dns_strings_filenames {\r\n    meta:\r\n        description = \"Rule to detect AnchorDNS samples based off strings or filenames used in malware\"\r\n        author = \"NCSC\"\r\n        hash1 = \"fc0efd612ad528795472e99cae5944b68b8e26dc\"\r\n        hash2 = \"794eb3a9ce8b7e5092bb1b93341a54097f5b78a9\"\r\n        hash3 = \"9dfce70fded4f3bc2aa50ca772b0f9094b7b1fb2\"\r\n        hash4 = \"24d4bbc982a6a561f0426a683b9617de1a96a74a\"\r\n    strings:\r\n        $ = \",Control_RunDLL \\x00\"\r\n        $ = \":$GUID\" ascii wide\r\n        $ = \":$DATA\" ascii wide\r\n        $ = \"/1001/\"\r\n        $ = /(\\x00|\\xCC)qwertyuiopasdfghjklzxcvbnm(\\x00|\\xCC)/\r\n        $ = /(\\x00|\\xCC)QWERTYUIOPASDFGHJKLZXCVBNM(\\x00|\\xCC)/\r\n        $ = \"start program with cmdline \\\"%s\\\"\"\r\n        $ = \"Global\\\\fde345tyhoVGYHUJKIOuy\"\r\n        $ = \"ChardWorker::thExecute: error registry me\"\r\n        $ = \"get command: incode %s, cmdid \\\"%s\\\", cmd \\\"%s\\\"\"\r\n        $ = \"anchorDNS\"\r\n        $ = \"Anchor_x86\"\r\n        $ = \"Anchor_x64\"\r\n    condition:\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-302a\r\nPage 4 of 19\n\n(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and 3 of them\r\n}\r\nrule anchor_dns_icmp_transport {\r\n    meta:\r\n        description = \"Rule to detect AnchorDNS samples based off ICMP transport strings\"\r\n        author = \"NCSC\"\r\n        hash1 = \"056f326d9ab960ed02356b34a6dcd72d7180fc83\"\r\n    strings:\r\n        $ = \"reset_connection \u003c- %s\"\r\n        $ = \"server_ok \u003c- %s (packets on server %s)\"\r\n        $ = \"erase successfully transmitted packet (count: %d)\"\r\n        $ = \"Packet sended with crc %s -\u003e %s\"\r\n        $ = \"send data confimation to server(%s)\"\r\n        $ = \"data recived from \u003c- %s\"\r\n        $ = \"Rearmost packed recived (id: %s)\"\r\n        $ = \"send poll to server -\u003e : %s\"\r\n    condition:\r\n        (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and 3 of them\r\n}\r\nrule anchor_dns_config_dexor {\r\n    meta:\r\n        description = \"Rule to detect AnchorDNS samples based off configuration deobfuscation (XOR 0x23\r\ncountup)\"\r\n        author = \"NCSC\"\r\n        hash1 = \"d0278ec015e10ada000915a1943ddbb3a0b6b3db\"\r\n        hash2 = \"056f326d9ab960ed02356b34a6dcd72d7180fc83\"\r\n    strings:\r\n        $x86 = {75 1F 56 6A 40 B2 23 33 C9 5E 8A 81 ?? ?? ?? ?? 32 C2 FE C2 88 81 ?? ?? ?? ?? 41 83 EE 01 75\r\nEA 5E B8 ?? ?? ?? ?? C3}\r\n        $x64 = {41 B0 23 41 B9 80 00 00 00 8A 84 3A ?? ?? ?? 00 41 32 C0 41 FE C0 88 04 32 48 FF C2 49 83 E9\r\n01 75 E7}\r\n    condition:\r\n        (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them\r\n}\r\nrule anchor_dns_installer {\r\n    meta:\r\n        description = \"Rule to detect AnchorDNS installer samples based off MZ magic under one-time pad or\r\ndeobfuscation loop code\"\r\n        author = \"NCSC\"\r\n        hash1 = \"fa98074dc18ad7e2d357b5d168c00a91256d87d1\"\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-302a\r\nPage 5 of 19\n\nhash2 = \"78f0737d2b1e605aad62af252b246ef390521f02\"\r\n    strings:\r\n        $pre = {43 00 4F 00 4E 00 4F 00 55 00 54 00 24 00 00 00} //CONOUT$\r\n        $pst = {6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00 00 00} //kernel32.dll\r\n        $deob_x86 = {8B C8 89 4D F8 83 F9 FF 74 52 46 89 5D F4 88 5D FF 85 F6 74 34 8A 83 ?? ?? ?? ?? 32 83\r\n?? ?? ?? ?? 6A 00 88 45 FF 8D 45 F4 50 6A 01 8D 45 FF 50 51 FF 15 34 80 41 00 8B 4D F8 43 8B F0 81 FB 00\r\n?? ?? ?? 72 CC 85 F6 75 08}\r\n        $deob_x64 = {42 0F B6 84 3F ?? ?? ?? ?? 4C 8D 8C 24 80 00 00 00 42 32 84 3F ?? ?? ?? ?? 48 8D 54 24 78\r\n41 B8 01 00 00 00 88 44 24 78 48 8B CE 48 89 6C 24 20 FF 15 ?? ?? ?? ?? 48 FF C7 8B D8 48 81 FF ?? ?? ?? ??\r\n72 B8}\r\n    condition:\r\n        (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)\r\n        and\r\n            (   uint16(@pre+16) ^ uint16(@pre+16+((@pst-(@pre+16))\\2)) == 0x5A4D\r\n                or\r\n                $deob_x86 or $deob_x64\r\n            )\r\n}\r\nimport \"pe\"\r\nrule anchor_dns_string_1001_with_pe_section_dll_export_resolve_ip_domains {\r\n    meta:\r\n        description = \"Rule to detect AnchorDNS samples based off /1001/ string in combination with DLL export\r\nname string, PE section .addr or IP resolution domains\"\r\n        author = \"NCSC\"\r\n        hash1 = \"ff8237252d53200c132dd742edc77a6c67565eee\"\r\n        hash2 = \"c8299aadf886da55cb47e5cbafe8c5a482b47fc8\"\r\n    strings:\r\n        $str1001 = {2F 31 30 30 31 2F 00} // /1001/\r\n        $strCtrl = {2C 43 6F 6E 74 72 6F 6C 5F 52 75 6E 44 4C 4C 20 00} // ,Control_RunDLL\r\n        $ip1 = \"checkip.amazonaws.com\" ascii wide\r\n        $ip2 = \"ipecho.net\" ascii wide\r\n        $ip3 = \"ipinfo.io\" ascii wide\r\n        $ip4 = \"api.ipify.org\" ascii wide\r\n        $ip5 = \"icanhazip.com\" ascii wide\r\n        $ip6 = \"myexternalip.com\" ascii wide\r\n        $ip7 = \"wtfismyip.com\" ascii wide\r\n        $ip8 = \"ip.anysrc.net\" ascii wide\r\n    condition:\r\n        (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550)\r\n        and $str1001\r\n        and (\r\n                for any i in (0..pe.number_of_sections): (\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-302a\r\nPage 6 of 19\n\npe.sections[i].name == \".addr\"\r\n                )\r\n            or\r\n                $strCtrl\r\n            or\r\n                6 of ($ip*)\r\n            )\r\n}\r\nrule anchor_dns_check_random_string_in_dns_response {\r\n    meta:\r\n        description = \"Rule to detect AnchorDNS samples based off checking random string in DNS response\"\r\n        author = \"NCSC\"\r\n        hash1 = \"056f326d9ab960ed02356b34a6dcd72d7180fc83\"\r\n        hash2 = \"14e9d68bba7a184863667c680a8d5a757149aa36\"\r\n    strings:\r\n        $x86 = {8A D8 83 C4 10 84 DB 75 08 8B 7D BC E9 84 00 00 00 8B 7D BC 32 DB 8B C7 33 F6 0F 1F 00\r\n85 C0 74 71 40 6A 2F 50 E8 ?? ?? ?? ?? 46 83 C4 08 83 FE 03 72 EA 85 C0 74 5B 83 7D D4 10 8D 4D C0 8B 75\r\nD0 8D 50 01 0F 43 4D C0 83 EE 04 72 11 8B 02 3B 01 75 10 83 C2 04 83 C1 04 83 EE 04 73 EF 83 FE FC 74\r\n2D 8A 02 3A 01 75 29 83 FE FD 74 22 8A 42 01 3A 41 01 75 1C 83 FE FE 74 15 8A 42 02 3A 41 02 75 0F 83 FE\r\nFF 74 08 8A 42 03 3A 41 03 75 02 B3 01 8B 75 B8}\r\n        $x64 = {4C 39 75 EF 74 56 48 8D 45 DF 48 83 7D F7 10 48 0F 43 45 DF 49 8B FE 48 85 C0 74 40 48 8D\r\n48 01 BA 2F 00 00 00 E8 ?? ?? ?? ?? 49 03 FF 48 83 FF 03 72 E4 48 85 C0 74 24 48 8D 55 1F 48 83 7D 37 10 48\r\n0F 43 55 1F 48 8D 48 01 4C 8B 45 2F E8 ?? ?? ?? ?? 0F B6 DB 85 C0 41 0F 44 DF 49 03 F7 48 8B 55 F7 48 83\r\nFE 05 0F 82 6A FF FF FF}\r\n    condition:\r\n        (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them\r\n}\r\nrule anchor_dns_default_result_execute_command {\r\n    meta:\r\n        description = \"Rule to detect AnchorDNS samples based off default result value and executing command\"\r\n        author = \"NCSC\"\r\n        hash1 = \"056f326d9ab960ed02356b34a6dcd72d7180fc83\"\r\n        hash2 = \"14e9d68bba7a184863667c680a8d5a757149aa36\"\r\n    strings:\r\n        $x86 = {83 C4 04 3D 80 00 00 00 73 15 8B 04 85 ?? ?? ?? ?? 85 C0 74 0A 8D 4D D8 51 8B CF FF D0 8A\r\nD8 84 DB C7 45 A4 0F 00 00 00}\r\n        $x64 = {48 98 B9 E7 03 00 00 48 3D 80 00 00 00 73 1B 48 8D 15 ?? ?? ?? ?? 48 8B 04 C2 48 85 C0 74 0B\r\n48 8D 55 90 48 8B CE FF D0 8B C8}\r\n    condition:\r\n        (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them\r\n}\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-302a\r\nPage 7 of 19\n\nrule anchor_dns_pdbs {\r\n    meta:\r\n        description = \"Rule to detect AnchorDNS samples based off partial PDB paths\"\r\n        author = \"NCSC\"\r\n        hash1 = \"f0e575475f33600aede6a1b9a5c14f671cb93b7b\"\r\n        hash2 = \"1304372bd4cdd877778621aea715f45face93d68\"\r\n        hash3 = \"e5dc7c8bfa285b61dda1618f0ade9c256be75d1a\"\r\n        hash4 = \"f96613ac6687f5dbbed13c727fa5d427e94d6128\"\r\n        hash5 = \"46750d34a3a11dd16727dc622d127717beda4fa2\"\r\n    strings:\r\n        $ = \":\\\\MyProjects\\\\secondWork\\\\Anchor\\\\\"        \r\n        $ = \":\\\\simsim\\\\anchorDNS\"\r\n        $ = \":\\\\[JOB]\\\\Anchor\\\\\"\r\n        $ = \":\\\\Anchor\\\\Win32\\\\Release\\\\Anchor_\"\r\n        $ = \":\\\\Users\\\\ProFi\\\\Desktop\\\\data\\\\Win32\\\\anchor\"\r\n    condition:\r\n        (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them\r\n}\r\nBazarLoader/BazarBackdoor\r\nBeginning in approximately early 2020, actors believed to be associated with TrickBot began using BazarLoader\r\nand BazarBackdoor to infect victim networks. The loader and backdoor work closely together to achieve infection\r\nand communicate with the same C2 infrastructure. Campaigns using Bazar represent a new technique for\r\ncybercriminals to infect and monetize networks and have increasingly led to the deployment of ransomware,\r\nincluding Ryuk. BazarLoader has become one of the most commonly used vectors for ransomware deployment.\r\nDeployment of the BazarLoader malware typically comes from phishing email and contains the following:\r\nPhishing emails are typically delivered by commercial mass email delivery services. Email received by a\r\nvictim will contain a link to an actor-controlled Google Drive document or other free online filehosting\r\nsolutions, typically purporting to be a PDF file.\r\nThis document usually references a failure to create a preview of the document and contains a link to a\r\nURL hosting a malware payload in the form of a misnamed or multiple extension file.\r\nEmails can appear as routine, legitimate business correspondence about customer complaints, hiring\r\ndecision, or other important tasks that require the attention of the recipient.  \r\nSome email communications have included the recipient’s name or employer name in the subject line\r\nand/or email body.\r\nThrough phishing emails linking users to Google Documents, actors used the below identified file names to install\r\nBazarLoader:\r\nReport-Review26-10.exe\r\nReview_Report15-10.exe\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-302a\r\nPage 8 of 19\n\nDocument_Print.exe\r\nReport10-13.exe\r\nText_Report.exe\r\nBazar activity can be identified by searching the system startup folders and Userinit values under the\r\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon registry key:\r\n%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\adobe.lnk\r\nFor a comprehensive list of indicators of compromise regarding the BazarLocker and other malware, see\r\nhttps://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html .\r\nIndicators\r\nIn addition to TrickBot and BazarLoader, threat actors are using malware, such as KEGTAP, BEERBOT,\r\nSINGLEMALT, and others as they continue to change tactics, techniques, and procedures in their highly dynamic\r\ncampaign. The following C2 servers are known to be associated with this malicious activity.\r\n45[.]148[.]10[.]92\r\n170[.]238[.]117[.]187\r\n177[.]74[.]232[.]124\r\n185[.]68[.]93[.]17\r\n203[.]176[.]135[.]102\r\n96[.]9[.]73[.]73\r\n96[.]9[.]77[.]142\r\n37[.]187[.]3[.]176\r\n45[.]89[.]127[.]92\r\n62[.]108[.]35[.]103\r\n91[.]200[.]103[.]242\r\n103[.]84[.]238[.]3\r\n36[.]89[.]106[.]69\r\n103[.]76[.]169[.]213\r\n36[.]91[.]87[.]227\r\n105[.]163[.]17[.]83\r\n185[.]117[.]73[.]163\r\n5[.]2[.]78[.]118\r\n185[.]90[.]61[.]69\r\n185[.]90[.]61[.]62\r\n86[.]104[.]194[.]30\r\n31[.]131[.]21[.]184\r\n46[.]28[.]64[.]8\r\n104[.]161[.]32[.]111\r\n107[.]172[.]140[.]171\r\n131[.]153[.]22[.]148\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-302a\r\nPage 9 of 19\n\n195[.]123[.]240[.]219\r\n195[.]123[.]242[.]119\r\n195[.]123[.]242[.]120\r\n51[.]81[.]113[.]25\r\n74[.]222[.]14[.]27\r\nRyuk Ransomware\r\nTypically Ryuk has been deployed as a payload from banking Trojans such as TrickBot. (See the United Kingdom\r\n(UK) National Cyber Security Centre (NCSC) advisory, Ryuk Ransomware Targeting Organisations Globally, on\r\ntheir ongoing investigation into global Ryuk ransomware campaigns and associated Emotet and TrickBot\r\nmalware.) Ryuk first appeared in August 2018 as a derivative of Hermes 2.1 ransomware, which first emerged in\r\nlate 2017 and was available for sale on the open market as of August 2018. Ryuk still retains some aspects of the\r\nHermes code. For example, all of the files encrypted by Ryuk contain the HERMES tag but, in some infections, the\r\nfiles have .ryk added to the filename, while others do not. In other parts of the ransomware code, Ryuk has\r\nremoved or replaced features of Hermes, such as the restriction against targeting specific Eurasia-based systems.\r\nWhile negotiating the victim network, Ryuk actors will commonly use commercial off-the-shelf products—such\r\nas Cobalt Strike and PowerShell Empire—in order to steal credentials. Both frameworks are very robust and are\r\nhighly effective dual-purpose tools, allowing actors to dump clear text passwords or hash values from memory\r\nwith the use of Mimikatz. This allows the actors to inject malicious dynamic-link library into memory with read,\r\nwrite, and execute permissions. In order to maintain persistence in the victim environment, Ryuk actors have been\r\nknown to use scheduled tasks and service creation.\r\nRyuk actors will quickly map the network in order to enumerate the environment to understand the scope of the\r\ninfection. In order to limit suspicious activity and possible detection, the actors choose to live off the land and, if\r\npossible, use native tools—such as net view, net computers, and ping—to locate mapped network shares, domain\r\ncontrollers, and active directory. In order to move laterally throughout the network, the group relies on native\r\ntools, such as PowerShell, Windows Management Instrumentation (WMI), Windows Remote Management , and\r\nRemote Desktop Protocol (RDP). The group also uses third-party tools, such as Bloodhound.\r\nOnce dropped, Ryuk uses AES-256 to encrypt files and an RSA public key to encrypt the AES key. The Ryuk\r\ndropper drops a .bat file that attempts to delete all backup files and Volume Shadow Copies (automatic backup\r\nsnapshots made by Windows), preventing the victim from recovering encrypted files without the decryption\r\nprogram.\r\nIn addition, the attackers will attempt to shut down or uninstall security applications on the victim systems that\r\nmight prevent the ransomware from executing. Normally this is done via a script, but if that fails, the attackers are\r\ncapable of manually removing the applications that could stop the attack. The RyukReadMe file placed on the\r\nsystem after encryption provides either one or two email  addresses, using the end-to-end encrypted email\r\nprovider Protonmail, through which the victim can contact the attacker(s). While earlier versions provide a ransom\r\namount in the initial notifications, Ryuk users are now designating a ransom amount only after the victim makes\r\ncontact.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-302a\r\nPage 10 of 19\n\nThe victim is told how much to pay to a specified Bitcoin wallet for the decryptor and is provided a sample\r\ndecryption of two files.\r\nInitial testing indicates that the RyukReadMe file does not need to be present for the decryption script to run\r\nsuccessfully but other reporting advises some files will not decrypt properly without it. Even if run correctly, there\r\nis no guarantee the decryptor will be effective. This is further complicated because the RyukReadMe file is deleted\r\nwhen the script is finished. This may affect the decryption script unless it is saved and stored in a different\r\nlocation before running.\r\nAccording to MITRE, Ryuk uses the ATT\u0026CK techniques listed in table 1.\r\nTable 1: Ryuk ATT\u0026CK techniques\r\nTechnique Use\r\nSystem Network\r\nConfiguration\r\nDiscovery [T1016\r\n]\r\nRyuk has called GetIpNetTable in attempt to identify all mounted drives and hosts\r\nthat have Address Resolution Protocol entries. \r\nMasquerading:\r\nMatch Legitimate\r\nName or Location\r\n[T1036.005 ]\r\nRyuk has constructed legitimate appearing installation folder paths by calling\r\nGetWindowsDirectoryW and then inserting a null byte at the fourth character of the\r\npath. For Windows Vista or higher, the path would appear as C:\\Users\\Public . \r\nProcess Injection\r\n[T1055 ]\r\nRyuk has injected itself into remote processes to encrypt files using a combination of\r\nVirtualAlloc , WriteProcessMemory , and CreateRemoteThread . \r\nProcess Discovery\r\n[T1057 ]\r\nRyuk has called CreateToolhelp32Snapshot to enumerate all running processes. \r\nCommand and\r\nScripting\r\nInterpreter:\r\nWindows\r\nCommand Shell\r\n[T1059.003 ]\r\nRyuk has used cmd.exe to create a Registry entry to establish persistence. \r\nFile and Directory\r\nDiscovery [T1083\r\n]\r\nRyuk has called GetLogicalDrives to enumerate all mounted drives, and\r\nGetDriveTypeW to determine the drive type.\r\nNative API [T1106\r\n]\r\nRyuk has used multiple native APIs including ShellExecuteW to run\r\nexecutables;  GetWindowsDirectoryW to create folders; and VirtualAlloc ,\r\nWriteProcessMemory , and CreateRemoteThread for process injection. \r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-302a\r\nPage 11 of 19\n\nTechnique Use\r\nAccess Token\r\nManipulation\r\n[T1134 ]\r\nRyuk has attempted to adjust its token privileges to have the SeDebugPrivilege . \r\nData Encrypted for\r\nImpact [T1486 ]\r\nRyuk has used a combination of symmetric and asymmetric encryption to encrypt\r\nfiles. Files have been encrypted with their own AES key and given a file extension of\r\n.RYK . Encrypted directories have had a ransom note of RyukReadMe.txt written to\r\nthe directory. \r\nService Stop\r\n[T1489 ]\r\nRyuk has called kill.bat for stopping services, disabling services and killing\r\nprocesses. \r\nInhibit System\r\nRecovery [T1490\r\n]\r\nRyuk has used vssadmin Delete Shadows /all /quiet to delete volume shadow\r\ncopies and vssadmin resize shadowstorage to force deletion of shadow copies\r\ncreated by third-party applications. \r\nBoot or Logon\r\nAutostart\r\nExecution: Registry\r\nRun Keys / Startup\r\nFolder [T1047.001\r\n]\r\nRyuk has used the Windows command line to create a Registry entry under\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run to establish\r\npersistence.\r\nImpair Defenses:\r\nDisable or Modify\r\nTools [T1562.001\r\n]\r\nRyuk has stopped services related to anti-virus.\r\nMitigations\r\nFor a downloadable copy of IOCs, see AA20-302A.stix. For additional IOCs detailing this activity, see\r\nhttps://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456 .\r\nPlans and Policies\r\nCISA, FBI, and HHS encourage HPH Sector organizations to maintain business continuity plans—the practice of\r\nexecuting essential functions through emergencies (e.g., cyberattacks)—to minimize service interruptions.\r\nWithout planning, provision, and implementation of continuity principles, organizations may be unable to\r\ncontinue operations. Evaluating continuity and capability will help identify continuity gaps. Through identifying\r\nand addressing these gaps, organizations can establish a viable continuity program that will help keep them\r\nfunctioning during cyberattacks or other emergencies. CISA, FBI, and HHS suggest HPH Sector organizations\r\nreview or establish patching plans, security policies, user agreements, and business continuity plans to ensure they\r\naddress current threats posed by malicious cyber actors.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-302a\r\nPage 12 of 19\n\nNetwork Best Practices\r\nPatch operating systems, software, and firmware as soon as manufacturers release updates.\r\nCheck configurations for every operating system version for HPH organization-owned assets to prevent\r\nissues from arising that local users are unable to fix due to having local administration disabled.\r\nRegularly change passwords to network systems and accounts and avoid reusing passwords for different\r\naccounts.\r\nUse multi-factor authentication where possible.\r\nDisable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.\r\nImplement application and remote access allow listing to only allow systems to execute programs known\r\nand permitted by the established security policy.\r\nAudit user accounts with administrative privileges and configure access controls with least privilege in\r\nmind.\r\nAudit logs to ensure new accounts are legitimate.\r\nScan for open or listening ports and mediate those that are not needed.\r\nIdentify critical assets such as patient database servers, medical records, and teleheatlh and telework\r\ninfrastructure; create backups of these systems and house the backups offline from the network.\r\nImplement network segmentation. Sensitive data should not reside on the same server and network\r\nsegment as the email environment.\r\nSet antivirus and anti-malware solutions to automatically update; conduct regular scans.\r\nRansomware Best Practices\r\nCISA, FBI and HHS do not recommend paying ransoms. Payment does not guarantee files will be recovered. It\r\nmay also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the\r\ndistribution of ransomware, and/or fund illicit activities. In addition to implementing the above network best\r\npractices, the FBI, CISA and HHS also recommend the following:\r\nRegularly back up data, air gap, and password protect backup copies offline.\r\nImplement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and\r\nservers in a physically separate, secure location.\r\nUser Awareness Best Practices\r\nFocus on awareness and training. Because end users are targeted, make employees and stakeholders aware\r\nof the threats—such as ransomware and phishing scams—and how they are delivered. Additionally,\r\nprovide users training on information security principles and techniques as well as overall emerging\r\ncybersecurity risks and vulnerabilities.\r\nEnsure that employees know who to contact when they see suspicious activity or when they believe they\r\nhave been a victim of a cyberattack. This will ensure that the proper established mitigation strategy can be\r\nemployed quickly and efficiently.\r\nRecommended Mitigation Measures\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-302a\r\nPage 13 of 19\n\nSystem administrators who have indicators of a TrickBot network compromise should immediately take steps to\r\nback up and secure sensitive or proprietary data. TrickBot infections may be indicators of an imminent\r\nransomware attack; system administrators should take steps to secure network devices accordingly. Upon evidence\r\nof a TrickBot infection, review DNS logs and use the XOR key of 0xB9 to decode XOR encoded DNS requests\r\nto reveal the presence of Anchor_DNS , and maintain and provide relevant logs.\r\nGENERAL RANSOMWARE MITIGATIONS — HPH SECTOR\r\nThis section is based on CISA and Multi-State Information Sharing and Analysis Center (MS-ISAC)'s Joint\r\nRansomware Guide, which can be found at https://www.cisa.gov/publication/ransomware-guide.\r\nCISA, FBI, and HHS recommend that healthcare organizations implement both ransomware prevention and\r\nransomware response measures immediately.\r\nRansomware Prevention\r\nJoin and Engage with Cybersecurity Organizations\r\nCISA, FBI, and HHS recommend that healthcare organizations take the following initial steps:\r\nJoin a healthcare information sharing organization, H-ISAC:\r\nHealth Information Sharing and Analysis Center (H-ISAC): https://h-isac.org/membership-account/join-h-isac/\r\nSector-based ISACs - National Council of ISACs: https://www.nationalisacs.org/member-isacs\r\nInformation Sharing and Analysis Organization (ISAO) Standards Organization:\r\nhttps://www.isao.org/information-sharing-groups/\r\nEngage with CISA and FBI, as well as HHS—through the HHS Health Sector Cybersecurity Coordination\r\nCenter (HC3)—to build a lasting partnership and collaborate on information sharing, best practices,\r\nassessments, and exercises.\r\nCISA: cisa.gov, https://us-cert.cisa.gov/mailing-lists-and-feeds, central@cisa.gov  \r\nFBI: ic3.gov, www.fbi.gov/contact-us/field, CyWatch@fbi.gov\r\nHHS/HC3: http://www.hhs.gov/hc3, HC3@HHS.gov\r\nEngaging with the H-ISAC, ISAO, CISA, FBI, and HHS/HC3 will enable your organization to receive critical\r\ninformation and access to services to better manage the risk posed by ransomware and other cyber threats.\r\nFollow Ransomware Best Practices\r\nRefer to the best practices and references below to help manage the risk posed by ransomware and support your\r\norganization’s coordinated and efficient response to a ransomware incident. Apply these practices to the greatest\r\nextent possible based on availability of organizational resources.\r\nIt is critical to maintain offline, encrypted backups of data and to regularly test your backups. Backup\r\nprocedures should be conducted on a regular basis. It is important that backups be maintained offline or in\r\nseparated networks as many ransomware variants attempt to find and delete any accessible backups.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-302a\r\nPage 14 of 19\n\nMaintaining offline, current backups is most critical because there is no need to pay a ransom for data that\r\nis readily accessible to your organization.\r\nUse the 3-2-1 rule as a guideline for backup practices. The rule states that three copies of all critical\r\ndata are retained on at least two different types of media and at least one of them is stored offline.\r\nMaintain regularly updated “gold images” of critical systems in the event they need to be rebuilt.\r\nThis entails maintaining image “templates” that include a preconfigured operating system (OS) and\r\nassociated software applications that can be quickly deployed to rebuild a system, such as a virtual\r\nmachine or server.\r\nRetain backup hardware to rebuild systems in the event rebuilding the primary system is not\r\npreferred.\r\nHardware that is newer or older than the primary system can present installation or\r\ncompatibility hurdles when rebuilding from images.\r\nEnsure all backup hardware is properly patched.\r\nIn addition to system images, applicable source code or executables should be available (stored with\r\nbackups, escrowed, license agreement to obtain, etc.). It is more efficient to rebuild from system images,\r\nbut some images will not install on different hardware or platforms correctly; having separate access to\r\nneeded software will help in these cases.\r\nCreate, maintain, and exercise a basic cyber incident response plan and associated communications plan\r\nthat includes response and notification procedures for a ransomware incident.\r\nReview available incident response guidance, such as CISA’s Technical Approaches to Uncovering\r\nand Remediating Malicious Activity https://us-cert.cisa.gov/ncas/alerts/aa20-245a.\r\nHelp your organization better organize around cyber incident response.\r\nDevelop a cyber incident response plan.\r\nThe Ransomware Response Checklist, available in the CISA and MS-ISAC Joint Ransomware Guide,\r\nserves as an adaptable, ransomware- specific annex to organizational cyber incident response or disruption\r\nplans.\r\nReview and implement as applicable MITRE’s Medical Device Cybersecurity: Regional Incident\r\nPreparedness and Response Playbook (https://www.mitre.org/sites/default/files/publications/pr-18-1550-\r\nMedical-Device-Cybersecurity-Playbook.pdf ).\r\nDevelop a risk management plan that maps critical health services and care to the necessary information\r\nsystems; this will ensure that the incident response plan will contain the proper triage procedures.\r\nPlan for the possibility of critical information systems being inaccessible for an extended period of time.\r\nThis should include but not be limited to the following:\r\nPrint and properly store/protect hard copies of digital information that would be required for critical\r\npatient healthcare.\r\nPlan for and periodically train staff to handle the re-routing of incoming/existing patients in an\r\nexpedient manner if information systems were to abruptly and unexpectedly become unavailable.\r\nCoordinate the potential for surge support with other healthcare facilities in the greater local area.\r\nThis should include organizational leadership periodically meeting and collaborating with\r\ncounterparts in the greater local area to create/update plans for their facilities to both abruptly send\r\nand receive a significant amount of critical patients for immediate care. This may include the\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-302a\r\nPage 15 of 19\n\nopportunity to re-route healthcare employees (and possibly some equipment) to provide care along\r\nwith additional patients.\r\nConsider the development of a second, air-gapped communications network that can provide a minimum\r\nstandard of backup support for hospital operations if the primary network becomes unavailable if/when\r\nneeded.\r\nPredefine network segments, IT capabilities and other functionality that can either be quickly separated\r\nfrom the greater network or shut down entirely without impacting operations of the rest of the IT\r\ninfrastructure.\r\nLegacy devices should be identified and inventoried with highest priority and given special consideration\r\nduring a ransomware event.\r\nSee CISA and MS-ISAC's Joint Ransomware Guide for infection vectors including internet-facing\r\nvulnerabilities and misconfigurations; phishing; precursor malware infection; and third parties and\r\nmanaged service providers.\r\nHHS/HC3 tracks ransomware that is targeting the HPH Sector; this information can be found at\r\nhttp://www.hhs.gov/hc3.\r\nHardening Guidance\r\nThe Food and Drug Administration provides multiple guidance documents regarding the hardening of\r\nhealthcare and specifically medical devices found here: https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity.\r\nSee CISA and MS-ISAC's Joint Ransomware Guide for additional in-depth hardening guidance.\r\nContact CISA for These No-Cost Resources\r\nInformation sharing with CISA and MS-ISAC (for SLTT organizations) includes bi-directional sharing of\r\nbest practices and network defense information regarding ransomware trends and variants as well as\r\nmalware that is a precursor to ransomware.\r\nPolicy-oriented or technical assessments help organizations understand how they can improve their\r\ndefenses to avoid ransomware infection: https://www.cisa.gov/cyber-resource-hub.\r\nAssessments include Vulnerability Scanning and Phishing Campaign Assessment.\r\nCyber exercises evaluate or help develop a cyber incident response plan in the context of a ransomware\r\nincident scenario.\r\nCISA Cybersecurity Advisors (CSAs) advise on best practices and connect you with CISA resources to\r\nmanage cyber risk.\r\nContacts:\r\nSLTT organizations: CyberLiaison_SLTT@cisa.dhs.gov\r\nPrivate sector organizations: CyberLiaison_Industry@cisa.dhs.gov\r\nRansomware Quick References\r\nRansomware: What It Is and What to Do About It (CISA): General ransomware guidance for organizational\r\nleadership and more in-depth information for CISOs and technical staff: https://www.us-https://us-cert.cisa.gov/ncas/alerts/aa20-302a\r\nPage 16 of 19\n\ncert.cisa.gov/sites/default/files/publications/Ransomware_Executive_One-Pager_and_Technical_\r\nDocument-FINAL.pdf\r\nRansomware (CISA): Introduction to ransomware, notable links to CISA products on protecting networks,\r\nspecific ransomware threats, and other resources: https://www.us-cert.cisa.gov/Ransomware  \r\nHHS/HC3: Ransomware that impacts HPH is tracked by the HC3 and can be found at www.hhs.gov/hc3\r\nSecurity Primer – Ransomware (MS-ISAC): Outlines opportunistic and strategic ransomware campaigns,\r\ncommon infection vectors, and best practice recommendations: https://www.cisecurity.org/white-papers/security-primer-ransomware/\r\nRansomware: Facts, Threats, and Countermeasures (MS- ISAC): Facts about ransomware, infection\r\nvectors, ransomware capabilities, and how to mitigate the risk of ransomware infection:\r\nhttps://www.cisecurity.org/blog/ransomware- facts-threats-and-countermeasures/\r\nHHS Ransomware Fact Sheet: https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf\r\nNIST Securing Data Integrity White Paper: https://csrc.nist.gov/publications/detail/white-paper/2020/10/01/securing-data-integrity-against-ransomware-attacks/draft\r\nRansomware Response Checklist\r\nRemember: Paying the ransom will not ensure your data is decrypted or that your systems or data will no\r\nlonger be compromised. CISA, FBI, and HHS do not recommend paying ransom.\r\nShould your organization be a victim of ransomware, CISA strongly recommends responding by using the\r\nRansomware Response Checklist located in CISA and MS-ISAC's Joint Ransomware Guide, which contains steps\r\nfor detection and analysis as well as containment and eradication.\r\nConsider the Need For Extended Identification or Analysis\r\nIf extended identification or analysis is needed, CISA, HHS/HC3, or federal law enforcement may be interested in\r\nany of the following information that your organization determines it can legally share:\r\nRecovered executable file\r\nCopies of the readme file – DO NOT REMOVE the file or decryption may not be possible\r\nLive memory (RAM) capture from systems with additional signs of compromise (use of exploit toolkits,\r\nRDP activity, additional files found locally)\r\nImages of infected systems with additional signs of compromise (use of exploit toolkits, RDP activity,\r\nadditional files found locally)\r\nMalware samples\r\nNames of any other malware identified on your system\r\nEncrypted file samples\r\nLog files (Windows Event Logs from compromised systems, Firewall logs, etc.)\r\nAny PowerShell scripts found having executed on the systems\r\nAny user accounts created in Active Directory or machines added to the network during the exploitation\r\nEmail addresses used by the attackers and any associated phishing emails\r\nA copy of the ransom note\r\nRansom amount and whether or not the ransom was paid\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-302a\r\nPage 17 of 19\n\nBitcoin wallets used by the attackers\r\nBitcoin wallets used to pay the ransom (if applicable)\r\nCopies of any communications with attackers\r\nUpon voluntary request, CISA can assist with analysis (e.g., phishing emails, storage media, logs, malware) at no\r\ncost to support your organization in understanding the root cause of an incident, even in the event additional\r\nremote assistance is not requested.\r\nCISA – Advanced Malware Analysis Center: https://www.malware.us-cert.gov/MalwareSubmission/pages/submission.jsf\r\nRemote Assistance – Request via Central@cisa.gov\r\nContact Information\r\nCISA, FBI, and HHS recommend identifying and having on hand the following contact information for ready use\r\nshould your organization become a victim of a ransomware incident. Consider contacting these organizations for\r\nmitigation and response assistance or for purpose of notification.\r\nState and Local Response Contacts\r\nIT/IT Security Team – Centralized Cyber Incident Reporting\r\nState and Local Law Enforcement\r\nFusion Center        \r\nManaged/Security Service Providers\r\nCyber Insurance       \r\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact\r\nyour local FBI field office at www.fbi.gov/contact-us/field, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855)\r\n292-3937 or by email at CyWatch@fbi.gov. When available, please include the following information regarding\r\nthe incident: date, time, and location of the incident; type of activity; number of people affected; type of\r\nequipment used for the activity; the name of the submitting company or organization; and a designated point of\r\ncontact. To request incident response resources or technical assistance related to these threats, contact CISA at\r\nCentral@cisa.gov.\r\nAdditionally, see CISA and MS-ISAC's Joint Ransomware Guide for information on contacting—and what to\r\nexpect from contacting—federal asset response and federal threat response contacts.\r\nDisclaimer\r\nThis document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when\r\ninformation carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures\r\nfor public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without\r\nrestriction. For more information on the Traffic Light Protocol, see https://cisa.gov/tlp.\r\nReferences\r\nHealth Industry Cybersecurity Tactical Crisis Response\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-302a\r\nPage 18 of 19\n\nHHS - Ransomware Spotlight Webinar\r\nHHS - Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients\r\nHHS - Ransomware Briefing\r\nHHS - Aggressive Ransomware Impacts\r\nHHS - Ransomware Fact Sheet\r\nHHS - Cyber Attack Checklist\r\nHHS - Cyber-Attack Response Infographic\r\nNIST - Data Integrity Publication\r\nNIST - Guide for Cybersecurity Event Recovery\r\nNIST - Identifying and Protecting Assets Against Ransomware and Other Destructive Events\r\nNIST - Detecting and Responding to Ransomware and Other Destructive Events\r\nNIST - Recovering from Ransomware and Other Destructive Events\r\nGithub List of IOCs\r\nRevisions\r\nOctober 28, 2020: Initial version|October 29, 2020: Updated to include information on Conti, TrickBot, and\r\nBazarLoader, including new IOCs and Yara Rules for detection|November 2, 2020: Updated FBI link\r\nSource: https://us-cert.cisa.gov/ncas/alerts/aa20-302a\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa20-302a\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://us-cert.cisa.gov/ncas/alerts/aa20-302a"
	],
	"report_names": [
		"aa20-302a"
	],
	"threat_actors": [],
	"ts_created_at": 1775446631,
	"ts_updated_at": 1775791279,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b1ab1e71e222d8aa19e11d8bfb0ab5de4e1dc392.pdf",
		"text": "https://archive.orkl.eu/b1ab1e71e222d8aa19e11d8bfb0ab5de4e1dc392.txt",
		"img": "https://archive.orkl.eu/b1ab1e71e222d8aa19e11d8bfb0ab5de4e1dc392.jpg"
	}
}