Ransomware Wave Targets US Hospitals: What We Know So Far

A joint advisory from the CISA, FBI, and HHS warns of an "increased and imminent" threat to US hospitals and healthcare providers.

Kelly Sheridan, Former Senior Editor, Dark Reading

October 29, 2020

5 Min Read
Dark Reading logo in a gray background | Dark Reading

This is a developing story and will be updated as we learn new information.

US government agencies have issued a joint security advisory following a series of ransomware attacks against hospitals across the country. The activity follows an increase in ransomware attacks throughout this year as well as recent surges of coronavirus in the United States.

The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) claim to have "credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers," the joint advisory states.

"CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their network from these threats," officials say. 

They assess attackers are targeting the sector with Trickbot malware, which often leads to ransomware, data theft, and disruption of healthcare services. Trickbot's operators have developed new functionality and tools to improve the speed and profitability of their attacks. In 2019, the FBI began to see new Trickbot modules named Anchor, often used in attacks on high-profile victims; these attacks often involved data exfiltration from networks and point-of-sale devices.

The ransomware in question is reportedly Ryuk, which is typically deployed as a payload from banking Trojans such as Trickbot. Ryuk first appeared in 2018 and has grown into a widespread threat, targeting oil and gas facilities, financial and military data, and the education sector. Its attackers quickly map the network, rely on native tools such as PowerShell, Windows Management Instrumentation, and Remote Desktop Protocol, and try to uninstall security applications. 

Healthcare was the industry most often targeted by ransomware in October, with a 71% increase in attacks targeting the sector, Check Point data shows. Ryuk was behind 75% of ransomware attacks targeting healthcare institutions, researchers report, noting this malware is primarily used in targeted attacks. 

Several hospitals and hospital chains have reportedly experienced ransomware attacks in the past week, including three healthcare institutions in upstate New York's St. Lawrence County Health System, and Sky Lakes Medical Center in Klamath Falls, Oregon, the AP reports. This incident has affected mulitiple hospitals in the University of Vermont Health Network, including six in Vermont and New York, according to a late afternoon update on Oct. 29. 

The extent of the damage is coming into focus as we learn how many hospitals have been hit. A Trump administration official told CNN several hospitals have been targeted in the past two days alone. While it's still early, these cases may be connected. An investigation is underway.

"We are experiencing the most significant cybersecurity threat we've ever seen in the United States," says Charles Carmakal, Mandiant senior vice president and CTO. He points to Eastern European threat group UNC1878, a financially motivated actor targeting US hospitals and forcing them to relocate patients. "Multiple hospitals have already been significantly impacted by Ryuk ransomware and their networks have been taken offline," he adds.

UNC1878 has been "aggressively targeting" the healthcare sector since it reappeared on the threat landscape in September 2020, notes Kimberly Goody, senior manager of analysis at Mandiant threat intelligence. 

"We believe that their success in negotiating ransoms from these organizations has resulted in them ramping up targeting of the hospitals and medical centers over the last week," she continues. Mandiant has noticed an uptick in campaigns distributing KEGTAP and other malware families, which give attackers like UNC1878 access to deploy ransomware in quick succession, "sometimes within hours," Goody adds. This underscores the importance of organizations detecting campaigns early on. 

This attack follows a Sept. 28 ransomware attack against Universal Health Services, unrelated to this campaign, that took down the IT network that supports its facilities. Earlier the same month, ransomware targeting a German hospital lead to the death of a patient who had to be transported to another facility as a result of the attack.

Incidents such as these illustrate the grave potential consequences of cybercrime.

"Attackers are getting more brazen with ransomware attacks, seemingly caring less about grinding operations to a halt in critical industries," says Kevin Breen, director of cyber-threat research for Immersive Labs. With hospitals bearing the brunt of the COVID-19 pandemic, the timing of this ransomware campaign "is about as cynical and malicious as it gets."

How Hospitals Should Prepare
The two most critical things hospitals can do to prevent a ransomware attack is ensure systems are up to date with patches, and that employees are aware of email-, voice-, and text message-based phishing attacks, says Unisys CISO Mat Newfield.

As this threat continues to grow, however, hospitals should also prepare to act.

"Understanding that exploitation is inevitable will allow security leaders to put tools and programs in place to not focus on prevention but on rapid response instead," he explains. 

Tom Kellermann, head of cybersecurity strategy at VMware's Carbon Black, recommends hospitals and healthcare providers rehearse IT lockdown and protocol, prepare to maintain continuity of operations if attacked, review plans within the next 24 hours in case of an incident, power down IT when not in use, and know how to contact federal authorities.

"Ensure backup of medical records, including electronic records. … Have a hard copy or remote backup or both," he says.

About the Author

Kelly Sheridan

Former Senior Editor, Dark Reading

Kelly Sheridan was formerly a Staff Editor at Dark Reading, where she focused on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial services. Sheridan earned her BA in English at Villanova University. You can follow her on Twitter @kellymsheridan.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights