US Hospitals Targeted in Wave of ‘Coordinated’ Ransomware Attacks

October 29, 2020 Updated: October 29, 2020

Hospitals and health care providers across the United States have been hit this week by a coordinated attack from a ransomware gang that operates from Eastern Europe.

Beginning Oct. 26, six hospitals including facilities in Oregon, California, and New York were targeted in the space of 24 hours by hackers, with some using a type of ransomware known as “Ryuk” that locks up a victim’s computer until a payment is received.

Analysts have said the group likely to be behind the attacks is known as Wizard Spider or UNC 1878. They warn that such attacks can disrupt hospital operations and potentially lead to loss of life.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning advisory (pdf) regarding the targeted attacks on Oct. 28, writing on Twitter that “there is an imminent and increased cybercrime threat to U.S. hospitals and healthcare providers.”

“CISA, FBI, and HHS [the Department of Health and Human Services] have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers,” the advisory stated. “CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.”

The federal agencies said hackers were targeting the health care sector, “often leading to ransomware attacks, data theft, and the disruption of health-care services.” The advisory said cybercriminals are using Ryuk ransomware for financial gain.

Ryuk ransomware is seeded through a network of zombie computers called Trickbot that Microsoft began trying to counter earlier in October. While the company has had considerable success knocking Trickbot command-and-control servers offline through legal action, analysts say criminals have still found ways to spread Ryuk.

Security analysts have warned that the targeted attacks could potentially impact hundreds more hospitals nationwide.

Ransomware attacks have increased 50 percent over the past three months, security firm Check Point stated on Oct. 28, with the proportion of polled health care organizations impacted jumping to 4 percent in the third quarter from 2.3 percent in the previous quarter.

In September, all 250 U.S. facilities of hospital chain Universal Health Services were targeted in a ransomware attack, forcing employees to resort to using pen and paper for patient records. Emergency room waits were delayed and wireless vital-signs monitoring equipment failed.

The Pennsylvania-based hospital health care service company was again targeted in this week’s attacks, CNN reported. New York’s St. Lawrence Health Systems and Oregon’s Sky Lakes Medical Center were also hit, resulting in the shutdown of some procedures such as computer-controlled cancer treatments and diagnostic imaging.

Highlighting the dangers of cybercriminal activity, John Riggi, senior adviser for cybersecurity and risk at the American Hospital Association, described a ransomware attack that causes a hospital to suspend patient care operations as “akin to a mass-casualty terrorist attack.”

“Like military attacks on hospitals, cyber attacks on hospitals violate all internationally accepted norms of warfare,” he said.

Ransomware has accounted for more than 70 percent of the successful cyberattacks on health care organizations in each of the past two years, Riggi said.

This particular method of cybercrime is being increasingly used by government and terrorist groups “as a way to level the playing field” against more powerful adversaries such as the United States, “which they know they could not defeat in a direct, head to head military confrontation,” Riggi said.

“They know they are at less of a disadvantage by engaging in asymmetrical warfare, using difficult to attribute cyber attacks to achieve their foreign policy, military, and intelligence objectives. Unfortunately, and inexcusably, this sometimes either places hospitals directly in the crosshairs of the U.S.’s cyber adversaries, or makes them become foreseeable collateral damage.”

Reuters and The Associated Press contributed to this report.