In a joint alert issued Wednesday, the FBI, HHS, and the Cybersecurity and Infrastructure Security Agency (CISA) warned that cybercriminals are unleashing major ransomware attacks against hospitals in the United States.
According to a study by Check Point, ransomware attempts increased 50% over the last three months of the first half of 2020, with the health care industry being the hardest hit. Ransomware attacks at health care organizations have increased from 2.3% of organizations in the second quarter to 4% in the third quarter, USA Today reports.
Typical ransomware attacks will demand several hundred thousand dollars, with some even demanding as much as $5 million, to unscramble hospitals' data, according to Check Point's study. Hospitals tend to be a major target of cybercriminals because they are more willing to pay than other businesses, as hospitals aren't able to shut down for long without affecting patient care, USA Today reports.
Task force issue alert to 'provide warning'
In the warning issued Wednesday, the joint task force said it has "credible information of an increased and imminent cybercrime threat to U.S. hospitals and health care providers," with cybercriminal groups attacking health care groups to steal data and disrupt health care services. The task force added that it was "sharing this information to provide warning to health care providers to ensure that they take timely and reasonable precautions to protect their networks from these threats."
The task force disclosed that the strain of ransomware being used in the attacks is called Ryuk, which infects computers via Trickbot malware. According to Tom Burt, Microsoft's corporate VP for customer services, Ryuk is a type of crypto-ransomware that encrypts network files and disables Windows System Restore so as to prevent people from recovering the targeted files without using external backups.
So far, the task force said, at least five hospitals have been hit by these attacks so far this week, including three hospitals within New York's St. Lawrence Health System and Oregon-based Sky Lakes Medical Center.
Healthcare IT News reports that St. Lawrence in a release said the hospitals affected "are utilizing their established back-up processes including offline documentation methods. Patient care continues to be delivered safely and effectively."
Meanwhile, Sky Lakes in a Facebook post said its "computer systems have been compromised" but had no reason to believe "that patient information has been compromised."
'The biggest thing we've ever seen'
Alex Holden, CEO of Hold Security, who has been tracking the ransomware in question for more than a year, said he first alerted federal law enforcement about the attacks on Friday, after observing infection attempts at several hospitals. Holden said the criminals, who are demanding ransoms of $10 million or more per target, were talking about plans to infect more than 400 hospitals, clinicals, and other health care organizations.
"One of the comments from the bad guys is that they are expecting to cause panic and, no, they are not hitting election systems," Holden said. "They are hitting where it hurts even more and they know it."
Separately, Charles Carmakal, SVP and chief technical officer of Mandiant, said, "We are experiencing the most significant cybersecurity threat we've ever seen in the United States." He specified that the gang in question, a Russian-speaking group called UNC1878, "is deliberately targeting and disrupting U.S. hospitals, forcing them to divert patients to other health care providers. Patients may experience prolonged wait time to receive critical care."
Allan Liska, an intelligence analyst for Recorded Future, said his firm is aware of at least six attacks in the last 24 hours, and that he suspects "there are probably more." According to Liska, the ransomware attacks are "absolutely the biggest thing we've ever seen. In terms of ransomware, it's the biggest attack we've ever seen," adding that it's "crushing to see so many hospitals hit at the same time."
Chris Krebs, director of CISA, said hospitals should have their "shields up" and assume ransomware "is inside the house. Executives—be ready to activate business continuity and disaster recovery plans. IT sec teams—patch, MFA, check logs, make sure you have a good backup point" (James, USA Today, 10/28; Bajak, Associated Press, 10/29; Salama et. al., CNN, 10/29; Miliard, Healthcare IT News, 10/28).