Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/29/2020
02:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Ransomware Wave Targets US Hospitals: What We Know So Far

A joint advisory from the CISA, FBI, and HHS warns of an "increased and imminent" threat to US hospitals and healthcare providers.

This is a developing story and will be updated as we learn new information.

US government agencies have issued a joint security advisory following a series of ransomware attacks against hospitals across the country. The activity follows an increase in ransomware attacks throughout this year as well as recent surges of coronavirus in the United States.

Related Content:

Ryuk Continues to Dominate Ransomware Response Cases

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Why Defense, Not Offense, Will Determine Global Cyber Powers

The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) claim to have "credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers," the joint advisory states.

"CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their network from these threats," officials say. 

They assess attackers are targeting the sector with Trickbot malware, which often leads to ransomware, data theft, and disruption of healthcare services. Trickbot's operators have developed new functionality and tools to improve the speed and profitability of their attacks. In 2019, the FBI began to see new Trickbot modules named Anchor, often used in attacks on high-profile victims; these attacks often involved data exfiltration from networks and point-of-sale devices.

The ransomware in question is reportedly Ryuk, which is typically deployed as a payload from banking Trojans such as Trickbot. Ryuk first appeared in 2018 and has grown into a widespread threat, targeting oil and gas facilities, financial and military data, and the education sector. Its attackers quickly map the network, rely on native tools such as PowerShell, Windows Management Instrumentation, and Remote Desktop Protocol, and try to uninstall security applications. 

Healthcare was the industry most often targeted by ransomware in October, with a 71% increase in attacks targeting the sector, Check Point data shows. Ryuk was behind 75% of ransomware attacks targeting healthcare institutions, researchers report, noting this malware is primarily used in targeted attacks. 

Several hospitals and hospital chains have reportedly experienced ransomware attacks in the past week, including three healthcare institutions in upstate New York's St. Lawrence County Health System, and Sky Lakes Medical Center in Klamath Falls, Oregon, the AP reports. This incident has affected mulitiple hospitals in the University of Vermont Health Network, including six in Vermont and New York, according to a late afternoon update on Oct. 29. 

The extent of the damage is coming into focus as we learn how many hospitals have been hit. A Trump administration official told CNN several hospitals have been targeted in the past two days alone. While it's still early, these cases may be connected. An investigation is underway.

"We are experiencing the most significant cybersecurity threat we've ever seen in the United States," says Charles Carmakal, Mandiant senior vice president and CTO. He points to Eastern European threat group UNC1878, a financially motivated actor targeting US hospitals and forcing them to relocate patients. "Multiple hospitals have already been significantly impacted by Ryuk ransomware and their networks have been taken offline," he adds.

UNC1878 has been "aggressively targeting" the healthcare sector since it reappeared on the threat landscape in September 2020, notes Kimberly Goody, senior manager of analysis at Mandiant threat intelligence. 

"We believe that their success in negotiating ransoms from these organizations has resulted in them ramping up targeting of the hospitals and medical centers over the last week," she continues. Mandiant has noticed an uptick in campaigns distributing KEGTAP and other malware families, which give attackers like UNC1878 access to deploy ransomware in quick succession, "sometimes within hours," Goody adds. This underscores the importance of organizations detecting campaigns early on. 

This attack follows a Sept. 28 ransomware attack against Universal Health Services, unrelated to this campaign, that took down the IT network that supports its facilities. Earlier the same month, ransomware targeting a German hospital lead to the death of a patient who had to be transported to another facility as a result of the attack.

Incidents such as these illustrate the grave potential consequences of cybercrime.

"Attackers are getting more brazen with ransomware attacks, seemingly caring less about grinding operations to a halt in critical industries," says Kevin Breen, director of cyber-threat research for Immersive Labs. With hospitals bearing the brunt of the COVID-19 pandemic, the timing of this ransomware campaign "is about as cynical and malicious as it gets."

How Hospitals Should Prepare
The two most critical things hospitals can do to prevent a ransomware attack is ensure systems are up to date with patches, and that employees are aware of email-, voice-, and text message-based phishing attacks, says Unisys CISO Mat Newfield.

As this threat continues to grow, however, hospitals should also prepare to act.

"Understanding that exploitation is inevitable will allow security leaders to put tools and programs in place to not focus on prevention but on rapid response instead," he explains. 

Tom Kellermann, head of cybersecurity strategy at VMware's Carbon Black, recommends hospitals and healthcare providers rehearse IT lockdown and protocol, prepare to maintain continuity of operations if attacked, review plans within the next 24 hours in case of an incident, power down IT when not in use, and know how to contact federal authorities.

"Ensure backup of medical records, including electronic records. … Have a hard copy or remote backup or both," he says.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25159
PUBLISHED: 2020-11-24
499ES EtherNet/IP (ENIP) Adaptor Source Code is vulnerable to a stack-based buffer overflow, which may allow an attacker to send a specially crafted packet that may result in a denial-of-service condition or code execution.
CVE-2020-25654
PUBLISHED: 2020-11-24
An ACL bypass flaw was found in pacemaker before 1.1.24-rc1 and 2.0.5-rc2. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went throu...
CVE-2020-28329
PUBLISHED: 2020-11-24
Barco wePresent WiPG-1600W firmware includes a hardcoded API account and password that is discoverable by inspecting the firmware image. A malicious actor could use this password to access authenticated, administrative functions in the API. Affected Version(s): 2.5.1.8, 2.5.0.25, 2.5.0.24, 2.4.1.19.
CVE-2020-29053
PUBLISHED: 2020-11-24
HRSALE 2.0.0 allows XSS via the admin/project/projects_calendar set_date parameter.
CVE-2020-25640
PUBLISHED: 2020-11-24
A flaw was discovered in WildFly before 21.0.0.Final where, Resource adapter logs plain text JMS password at warning level on connection error, inserting sensitive information in the log file.