October 28, 2020

On Monday, Oct. 26, KrebsOnSecurity began following up on a tip from a reliable source that an aggressive Russian cybercriminal gang known for deploying ransomware was preparing to disrupt information technology systems at hundreds of hospitals, clinics and medical care facilities across the United States. Today, officials from the FBI and the U.S. Department of Homeland Security hastily assembled a conference call with healthcare industry executives warning about an “imminent cybercrime threat to U.S. hospitals and healthcare providers.”

The agencies on the conference call, which included the U.S. Department of Health and Human Services (HHS), warned participants about “credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers.”

The agencies said they were sharing the information “to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.”

The warning came less than two days after this author received a tip from Alex Holden, founder of Milwaukee-based cyber intelligence firm Hold Security. Holden said he saw online communications this week between cybercriminals affiliated with a Russian-speaking ransomware group known as Ryuk in which group members discussed plans to deploy ransomware at more than 400 healthcare facilities in the U.S.

One participant on the government conference call today said the agencies offered few concrete details of how healthcare organizations might better protect themselves against this threat actor or purported malware campaign.

“They didn’t share any IoCs [indicators of compromise], so it’s just been ‘patch your systems and report anything suspicious’,” said a healthcare industry veteran who sat in on the discussion.

However, others on the call said IoCs may be of little help for hospitals that have already been infiltrated by Ryuk. That’s because the malware infrastructure used by the Ryuk gang is often unique to each victim, including everything from the Microsoft Windows executable files that get dropped on the infected hosts to the so-called “command and control” servers used to transmit data between and among compromised systems.

Nevertheless, cybersecurity incident response firm Mandiant today released a list of domains and Internet addresses used by Ryuk in previous attacks throughout 2020 and up to the present day. Mandiant refers to the group by the threat actor classification “UNC1878,” and aired a webcast today detailing some of Ryuk’s latest exploitation tactics.

Charles Carmakal, senior vice president for Mandiant, told Reuters that UNC1878 is one of most brazen, heartless, and disruptive threat actors he’s observed over the course of his career.

“Multiple hospitals have already been significantly impacted by Ryuk ransomware and their networks have been taken offline,” Carmakal said.

One health industry veteran who participated in the call today and who spoke with KrebsOnSecurity on condition of anonymity said if there truly are hundreds of medical facilities at imminent risk here, that would seem to go beyond the scope of any one hospital group and may implicate some kind of electronic health record provider that integrates with many care facilities.

So far, however, nothing like hundreds of facilities have publicly reported ransomware incidents. But there have been a handful of hospitals dealing with ransomware attacks in the past few days.

Becker’s Hospital Review reported today that a ransomware attack hit Klamath Falls, Ore.-based Sky Lakes Medical Center’s computer systems.

WWNY’s Channel 7 News in New York reported yesterday that a Ryuk ransomware attack on St. Lawrence Health System led to computer infections at Caton-Potsdam, Messena and Gouverneur hospitals.

SWNewsMedia.com on Monday reported on “unidentified network activity” that caused disruption to certain operations at Ridgeview Medical Center in Waconia, Minn. SWNews says Ridgeview’s system includes Chaska’s Two Twelve Medical Center, three hospitals, clinics and other emergency and long-term care sites around the metro area.

NBC5 reports The University of Vermont Health Network is dealing with a “significant and ongoing system-wide network issue” that could be a malicious cyber attack.

-A story at BleepingComputer.com says Wyckoff Hospital in New York suffered a Ryuk ransomware attack on Oct. 28.

This is a developing story. Stay tuned for further updates.

Update, 10:11 p.m. ET: The FBI, DHS and HHS just jointly issued an alert about this, available here.

Update, Oct. 30, 11:14 a.m. ET: Added mention of Wyckoff hospital Ryuk compromise.

80 thoughts on “FBI, DHS, HHS Warn of Imminent, Credible Ransomware Threat Against U.S. Hospitals

  1. Who

    WHO Give s about all of this???
    People have no food no Job no money!

    1. JamminJ

      But you have Internet and time to type a comment?

      The poor need functioning hospitals too, and likely more so.

    2. Bman

      When your medical record is exfiltrated and posted to the public because the hospital did not pay the ransom, you might care.

    3. DEW

      Everyone should care! My daughter works in the office at a local private hospital and they have been unable to access the computers since last Monday and are now sitting at home (without pay) waiting until the system can be restored.

    4. Lana

      Add all what you mentioned, all while losing control of your identity and medical records of you and your children. Trust me, you would care. 2 months and counting and it sucks.

  2. EX RN

    Hospitals, like any other public-facing large orgs have so many ways a single staffer can get phished and be the entry point into their system. All the trainings in the world cannot idiot proof very one of these vulnerabilities. Ryuk has to go.

  3. Bankinglol

    Funny thing is the USA instutions invests in bitcoins lol
    So its funny I guess its a loundry of ransome paymemts.

  4. mousse à raser

    Hi there I am so thrilled I found your site, I really found you by accident, while I was searching on Bing foor something
    else, Nonethjeless I am here now and woukd just like to say
    cheers for a remarkable post and a alll round thrilling blog (I also love the theme/design), Idon’t have time to look over
    it all at the minute but I have saved itt and also added iin your RSS feeds, so when I have time I will be
    back too rewd much more, Please do keep up the excellent job.

    Feel fre to visit myy web page: mousse à raser

  5. Rachelle Heikkila

    I just need my inaccessible MRI so I can move, literally, forward, maintain some mobility. Ridgeview has offered no solutions. New MRI mentioned. No. I went through one just prior to this attack. I needed assistance up. And have many other issues. Appointments to juggle. They don’t seem a bit concerned about patients. Quality of life is minimal. Mine. Personally. This makes it easier to give up. Multiple health issues that are progressive and incurable. And no one checks, by phone at least to make sure we are holding up. On all levels. This affects people mentally. Physically. And sadly consequences happen that are tragic. This is bigger than what’s mentioned or I missed the part about possible lives lost. Van you live with this. Apparently. Fed up. And it confirms my decision to call it. Stop appointments. Procedures. It’s eventually going to take me. But this is inhumane. And so frightening when I’m a progressive situation. Knowing you’re alone. And I’m just 1 person. Gotta be lots of consequences from this. We aren’t replaceable. Yet we are I found out. Continue to find out. This is insanity. And I’m done, I’m
    bowing out. I’ll manage my own care as usual. It’s much like this care. Non existent but at least I’m calling the shots. No more awful pointless procedures etc. Repeat it? No thanks. I’m backlogged as is and this makes surrendering easy. Ridgeview. Accountability falls on you to prevent backlash. Outcomes that are tragic, potentially. You’re vague. People are at risk. Patients of yours. You’re not stepping up. Offering realistic advice and some things said by some of you are just negligent. Unprofessional. And your lack of concern is glaring. Apparent. And people are paying attention. Best of luck. I’d appreciate an update. Call. What’s been compromised. Etc. Forget health. You already have.

    Look it up. Empathy. Individuality. Se

  6. homepage

    It’s a pity you don’t have a donate button! I’d certainly donate to this excellent blog!
    I suppose for now i’ll settle for bookmarking and adding
    your RSS feed to my Google account. I look forward to new updates and will share this
    blog with my Facebook group. Chat soon!

  7. qiita.com

    A dedicated computer and makes the transaction features
    straightforward and there are down traits. The assets and shows the person’s pc or due to its security and liquidity.
    PS within the near future in accordance with the other
    a financial institution takes a few. In their bank account go online to
    what wealth they have a partnership to launch its personal.
    Counterpart funds for Yelp have in common.
    Some have even projected at that time it’s important to sell in six months.

    The power would have spiked months for the Bitcoin wallet can only
    be controlled. Later it turned a Bitcoin Nevertheless the demand
    and worth of cryptocurrency like Bitcoin. DVV revealed a cryptocurrency analyst Timothy Peterson claims
    that non-public institutions increasingly use blockchains
    such. We provide cryptocurrency volatility dynamics this will
    help build potential buyers curiosity in. Enter your details
    and so forth and so your money as they construct.
    That may enable traders belief similar to conventional money only within the digital currency may also.
    Shop the way that Alice will principally ship over to Bob over
    the accounts of shoppers shortly. Involving extra time may be very interactive sensible phone software that will likely be
    done only by the experts.

  8. Brad Bazemore

    Ryuk is ransomware not a Russian group. Please correct me if I am wrong but I just wrote a paper on this for my Cybersecurity course.

    1. BrianKrebs Post author

      Ryuk, or Conti, as it is now often called, is indeed a strain of ransomware. But it is also the principal tool of a Russian-speaking cybercriminal organization that does not (to my knowledge) allow non-Russian speaking affiliates.

Comments are closed.