A fresh wave of ransomware attacks has struck almost two dozen United States hospitals and health care organizations in recent weeks, just as Covid-19 cases spike across the US. According to US intelligence agencies and cybersecurity professionals, the situation could soon become much worse.
On Wednesday evening, the Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, and Department of Health and Human Services warned that there is a “an increased and imminent cybercrime threat to US hospitals and health care providers,” above and beyond the wave of attacks that have already occurred. The alert points to the notorious Trickbot trojan and Ryuk ransomware as the primary hacking tools involved in the attacks. Security analysts at private companies say that the activity is tied to the Russian criminal gang sometimes called UNC 1878 or Wizard Spider.
“I can’t think of any that rivals this in terms of danger to the public.”
John Hultquist, FireEye
Ransomware actors have for years targeted hospitals because locking up a health care organization’s digital systems can threaten patient care and create maximum urgency to pay up and recover. More recently, both rate of infections against the industry and the demands themselves have exploded; antivirus firm Emsisoft found that the average ransomware ask has increased from about $5,000 in 2018 to about $200,000 this year, with multimillion dollar demands becoming increasingly common. Last month, the provider Universal Health Services was hit with a Ryuk attack that rippled through its 250 US hospitals and clinics, crippling digital services and impacting facilities around the country.
Even so, the current spree of infections marks an alarming shift in how aggressive financially motivated ransomware groups have become, and how far they’re willing to go.
“This is to me the most significant cyber threat that we’ve experienced in the US to date,” says Charles Carmakal, senior vice president and chief technical officer of the cybersecurity firm Mandiant, which is owned by FireEye. “There is a moral line that every person, just as a human being, recognizes exists—when you do something knowing that you are potentially impacting somebody’s life you’ve crossed the line. So there’s a very clear crossing of the line by this threat actor. This group is incredibly brazen, heartless, relentless.”
The attacks may not match the devastation of the Russian government’s critical infrastructure attacks in Ukraine, but they have hobbled victim hospitals around the country, including in California, Oregon, and New York. In many cases, victims have had to reschedule appointments, delay procedures, or refer patients to other facilities to receive timely care.
The US government alert lays out recommendations and best practices for how hospitals can protect themselves, and private firms like Mandiant have been sharing “indicators of comprise” as well, so health care facilities can monitor their systems extra closely and try to head off potential attacks. One major concern is that hundreds of organizations may have already been compromised by attackers, and that ransomware or the means to deploy it is lurking until the hackers decide to trigger it.
New infections could continue as well. Experienced, well-resourced ransomware groups like UNC 1878 can move quickly to deploy ransomware once they compromise a target if they choose to, but there is still generally a window to catch and prevent an attack. And organizations can also be prepared to quickly remediate a successful ransomware attack and get their systems back online through safeguards like backups and tools specially developed to recover from Ryuk. Some firms, like Emsisoft, are offering their services for free right now to health care organizations.
“I have two US customers in the health care industry and it appears they were compromised by a shared administrative interface that was used to deploy malware into these environments,” says Greg Linares, a researcher at the security firm CyberPoint. “Right now we’re working with the teams to minimize this story. That means we got rid of the malware before it deployed versus the story in a week or so that could say 100-plus hospitals got hit by ransomware.”