Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/29/2020
02:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Ransomware Wave Targets US Hospitals: What We Know So Far

A joint advisory from the CISA, FBI, and HHS warns of an "increased and imminent" threat to US hospitals and healthcare providers.

This is a developing story and will be updated as we learn new information.

US government agencies have issued a joint security advisory following a series of ransomware attacks against hospitals across the country. The activity follows an increase in ransomware attacks throughout this year as well as recent surges of coronavirus in the United States.

Related Content:

Ryuk Continues to Dominate Ransomware Response Cases

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Why Defense, Not Offense, Will Determine Global Cyber Powers

The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) claim to have "credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers," the joint advisory states.

"CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their network from these threats," officials say. 

They assess attackers are targeting the sector with Trickbot malware, which often leads to ransomware, data theft, and disruption of healthcare services. Trickbot's operators have developed new functionality and tools to improve the speed and profitability of their attacks. In 2019, the FBI began to see new Trickbot modules named Anchor, often used in attacks on high-profile victims; these attacks often involved data exfiltration from networks and point-of-sale devices.

The ransomware in question is reportedly Ryuk, which is typically deployed as a payload from banking Trojans such as Trickbot. Ryuk first appeared in 2018 and has grown into a widespread threat, targeting oil and gas facilities, financial and military data, and the education sector. Its attackers quickly map the network, rely on native tools such as PowerShell, Windows Management Instrumentation, and Remote Desktop Protocol, and try to uninstall security applications. 

Healthcare was the industry most often targeted by ransomware in October, with a 71% increase in attacks targeting the sector, Check Point data shows. Ryuk was behind 75% of ransomware attacks targeting healthcare institutions, researchers report, noting this malware is primarily used in targeted attacks. 

Several hospitals and hospital chains have reportedly experienced ransomware attacks in the past week, including three healthcare institutions in upstate New York's St. Lawrence County Health System, and Sky Lakes Medical Center in Klamath Falls, Oregon, the AP reports. This incident has affected mulitiple hospitals in the University of Vermont Health Network, including six in Vermont and New York, according to a late afternoon update on Oct. 29. 

The extent of the damage is coming into focus as we learn how many hospitals have been hit. A Trump administration official told CNN several hospitals have been targeted in the past two days alone. While it's still early, these cases may be connected. An investigation is underway.

"We are experiencing the most significant cybersecurity threat we've ever seen in the United States," says Charles Carmakal, Mandiant senior vice president and CTO. He points to Eastern European threat group UNC1878, a financially motivated actor targeting US hospitals and forcing them to relocate patients. "Multiple hospitals have already been significantly impacted by Ryuk ransomware and their networks have been taken offline," he adds.

UNC1878 has been "aggressively targeting" the healthcare sector since it reappeared on the threat landscape in September 2020, notes Kimberly Goody, senior manager of analysis at Mandiant threat intelligence. 

"We believe that their success in negotiating ransoms from these organizations has resulted in them ramping up targeting of the hospitals and medical centers over the last week," she continues. Mandiant has noticed an uptick in campaigns distributing KEGTAP and other malware families, which give attackers like UNC1878 access to deploy ransomware in quick succession, "sometimes within hours," Goody adds. This underscores the importance of organizations detecting campaigns early on. 

This attack follows a Sept. 28 ransomware attack against Universal Health Services, unrelated to this campaign, that took down the IT network that supports its facilities. Earlier the same month, ransomware targeting a German hospital lead to the death of a patient who had to be transported to another facility as a result of the attack.

Incidents such as these illustrate the grave potential consequences of cybercrime.

"Attackers are getting more brazen with ransomware attacks, seemingly caring less about grinding operations to a halt in critical industries," says Kevin Breen, director of cyber-threat research for Immersive Labs. With hospitals bearing the brunt of the COVID-19 pandemic, the timing of this ransomware campaign "is about as cynical and malicious as it gets."

How Hospitals Should Prepare
The two most critical things hospitals can do to prevent a ransomware attack is ensure systems are up to date with patches, and that employees are aware of email-, voice-, and text message-based phishing attacks, says Unisys CISO Mat Newfield.

As this threat continues to grow, however, hospitals should also prepare to act.

"Understanding that exploitation is inevitable will allow security leaders to put tools and programs in place to not focus on prevention but on rapid response instead," he explains. 

Tom Kellermann, head of cybersecurity strategy at VMware's Carbon Black, recommends hospitals and healthcare providers rehearse IT lockdown and protocol, prepare to maintain continuity of operations if attacked, review plans within the next 24 hours in case of an incident, power down IT when not in use, and know how to contact federal authorities.

"Ensure backup of medical records, including electronic records. … Have a hard copy or remote backup or both," he says.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29144
PUBLISHED: 2020-11-27
In Ericsson BSCS iX R18 Billing & Rating iX R18, MX is a web base module in BSCS iX that is vulnerable to stored XSS via an Alert Dashboard comment. In most test cases, session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or e...
CVE-2020-29145
PUBLISHED: 2020-11-27
In Ericsson BSCS iX R18 Billing & Rating iX R18, ADMX is a web base module in BSCS iX that is vulnerable to stored XSS via the name or description field to a solutionUnitServlet?SuName=UserReferenceDataSU Access Rights Group. In most test cases, session hijacking was also possible by utilizing t...
CVE-2020-29136
PUBLISHED: 2020-11-27
In cPanel before 90.0.17, 2FA can be bypassed via a brute-force approach (SEC-575).
CVE-2020-29137
PUBLISHED: 2020-11-27
cPanel before 90.0.17 allows self-XSS via the WHM Transfer Tool interface (SEC-577).
CVE-2020-29135
PUBLISHED: 2020-11-27
cPanel before 90.0.17 has multiple instances of URL parameter injection (SEC-567).