Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:45 PM
Connect Directly

Ransomware Wave Targets US Hospitals: What We Know So Far

A joint advisory from the CISA, FBI, and HHS warns of an "increased and imminent" threat to US hospitals and healthcare providers.

This is a developing story and will be updated as we learn new information.

US government agencies have issued a joint security advisory following a series of ransomware attacks against hospitals across the country. The activity follows an increase in ransomware attacks throughout this year as well as recent surges of coronavirus in the United States.

Related Content:

Ryuk Continues to Dominate Ransomware Response Cases

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Why Defense, Not Offense, Will Determine Global Cyber Powers

The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) claim to have "credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers," the joint advisory states.

"CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their network from these threats," officials say. 

They assess attackers are targeting the sector with Trickbot malware, which often leads to ransomware, data theft, and disruption of healthcare services. Trickbot's operators have developed new functionality and tools to improve the speed and profitability of their attacks. In 2019, the FBI began to see new Trickbot modules named Anchor, often used in attacks on high-profile victims; these attacks often involved data exfiltration from networks and point-of-sale devices.

The ransomware in question is reportedly Ryuk, which is typically deployed as a payload from banking Trojans such as Trickbot. Ryuk first appeared in 2018 and has grown into a widespread threat, targeting oil and gas facilities, financial and military data, and the education sector. Its attackers quickly map the network, rely on native tools such as PowerShell, Windows Management Instrumentation, and Remote Desktop Protocol, and try to uninstall security applications. 

Healthcare was the industry most often targeted by ransomware in October, with a 71% increase in attacks targeting the sector, Check Point data shows. Ryuk was behind 75% of ransomware attacks targeting healthcare institutions, researchers report, noting this malware is primarily used in targeted attacks. 

Several hospitals and hospital chains have reportedly experienced ransomware attacks in the past week, including three healthcare institutions in upstate New York's St. Lawrence County Health System, and Sky Lakes Medical Center in Klamath Falls, Oregon, the AP reports. This incident has affected mulitiple hospitals in the University of Vermont Health Network, including six in Vermont and New York, according to a late afternoon update on Oct. 29. 

The extent of the damage is coming into focus as we learn how many hospitals have been hit. A Trump administration official told CNN several hospitals have been targeted in the past two days alone. While it's still early, these cases may be connected. An investigation is underway.

"We are experiencing the most significant cybersecurity threat we've ever seen in the United States," says Charles Carmakal, Mandiant senior vice president and CTO. He points to Eastern European threat group UNC1878, a financially motivated actor targeting US hospitals and forcing them to relocate patients. "Multiple hospitals have already been significantly impacted by Ryuk ransomware and their networks have been taken offline," he adds.

UNC1878 has been "aggressively targeting" the healthcare sector since it reappeared on the threat landscape in September 2020, notes Kimberly Goody, senior manager of analysis at Mandiant threat intelligence. 

"We believe that their success in negotiating ransoms from these organizations has resulted in them ramping up targeting of the hospitals and medical centers over the last week," she continues. Mandiant has noticed an uptick in campaigns distributing KEGTAP and other malware families, which give attackers like UNC1878 access to deploy ransomware in quick succession, "sometimes within hours," Goody adds. This underscores the importance of organizations detecting campaigns early on. 

This attack follows a Sept. 28 ransomware attack against Universal Health Services, unrelated to this campaign, that took down the IT network that supports its facilities. Earlier the same month, ransomware targeting a German hospital lead to the death of a patient who had to be transported to another facility as a result of the attack.

Incidents such as these illustrate the grave potential consequences of cybercrime.

"Attackers are getting more brazen with ransomware attacks, seemingly caring less about grinding operations to a halt in critical industries," says Kevin Breen, director of cyber-threat research for Immersive Labs. With hospitals bearing the brunt of the COVID-19 pandemic, the timing of this ransomware campaign "is about as cynical and malicious as it gets."

How Hospitals Should Prepare
The two most critical things hospitals can do to prevent a ransomware attack is ensure systems are up to date with patches, and that employees are aware of email-, voice-, and text message-based phishing attacks, says Unisys CISO Mat Newfield.

As this threat continues to grow, however, hospitals should also prepare to act.

"Understanding that exploitation is inevitable will allow security leaders to put tools and programs in place to not focus on prevention but on rapid response instead," he explains. 

Tom Kellermann, head of cybersecurity strategy at VMware's Carbon Black, recommends hospitals and healthcare providers rehearse IT lockdown and protocol, prepare to maintain continuity of operations if attacked, review plans within the next 24 hours in case of an incident, power down IT when not in use, and know how to contact federal authorities.

"Ensure backup of medical records, including electronic records. … Have a hard copy or remote backup or both," he says.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...