28
Oct 20

FBI, DHS, HHS Warn of Imminent, Credible Ransomware Threat Against U.S. Hospitals

On Monday, Oct. 26, KrebsOnSecurity began following up on a tip from a reliable source that an aggressive Russian cybercriminal gang known for deploying ransomware was preparing to disrupt information technology systems at hundreds of hospitals, clinics and medical care facilities across the United States. Today, officials from the FBI and the U.S. Department of Homeland Security hastily assembled a conference call with healthcare industry executives warning about an “imminent cybercrime threat to U.S. hospitals and healthcare providers.”

The agencies on the conference call, which included the U.S. Department of Health and Human Services (HHS), warned participants about “credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers.”

The agencies said they were sharing the information “to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.”

The warning came less than two days after this author received a tip from Alex Holden, founder of Milwaukee-based cyber intelligence firm Hold Security. Holden said he saw online communications this week between cybercriminals affiliated with a Russian-speaking ransomware group known as Ryuk in which group members discussed plans to deploy ransomware at more than 400 healthcare facilities in the U.S.

One participant on the government conference call today said the agencies offered few concrete details of how healthcare organizations might better protect themselves against this threat actor or purported malware campaign.

“They didn’t share any IoCs [indicators of compromise], so it’s just been ‘patch your systems and report anything suspicious’,” said a healthcare industry veteran who sat in on the discussion.

However, others on the call said IoCs may be of little help for hospitals that have already been infiltrated by Ryuk. That’s because the malware infrastructure used by the Ryuk gang is often unique to each victim, including everything from the Microsoft Windows executable files that get dropped on the infected hosts to the so-called “command and control” servers used to transmit data between and among compromised systems.

Nevertheless, cybersecurity incident response firm Mandiant today released a list of domains and Internet addresses used by Ryuk in previous attacks throughout 2020 and up to the present day. Mandiant refers to the group by the threat actor classification “UNC1878,” and aired a webcast today detailing some of Ryuk’s latest exploitation tactics.

Charles Carmakal, senior vice president for Mandiant, told Reuters that UNC1878 is one of most brazen, heartless, and disruptive threat actors he’s observed over the course of his career.

“Multiple hospitals have already been significantly impacted by Ryuk ransomware and their networks have been taken offline,” Carmakal said.

One health industry veteran who participated in the call today and who spoke with KrebsOnSecurity on condition of anonymity said if there truly are hundreds of medical facilities at imminent risk here, that would seem to go beyond the scope of any one hospital group and may implicate some kind of electronic health record provider that integrates with many care facilities.

So far, however, nothing like hundreds of facilities have publicly reported ransomware incidents. But there have been a handful of hospitals dealing with ransomware attacks in the past few days.

Becker’s Hospital Review reported today that a ransomware attack hit Klamath Falls, Ore.-based Sky Lakes Medical Center’s computer systems.

WWNY’s Channel 7 News in New York reported yesterday that a Ryuk ransomware attack on St. Lawrence Health System led to computer infections at Caton-Potsdam, Messena and Gouverneur hospitals.

SWNewsMedia.com on Monday reported on “unidentified network activity” that caused disruption to certain operations at Ridgeview Medical Center in Waconia, Minn. SWNews says Ridgeview’s system includes Chaska’s Two Twelve Medical Center, three hospitals, clinics and other emergency and long-term care sites around the metro area.

NBC5 reports The University of Vermont Health Network is dealing with a “significant and ongoing system-wide network issue” that could be a malicious cyber attack.

-A story at BleepingComputer.com says Wyckoff Hospital in New York suffered a Ryuk ransomware attack on Oct. 28.

This is a developing story. Stay tuned for further updates.

Update, 10:11 p.m. ET: The FBI, DHS and HHS just jointly issued an alert about this, available here.

Update, Oct. 30, 11:14 a.m. ET: Added mention of Wyckoff hospital Ryuk compromise.

Tags: , , , , , , , , ,

80 comments

  1. Thanks for the heads up. Had not seen this news yet.

  2. Just when you thought hackers couldn’t sink to a new low, they attack the most vulnerable. It just shows that no matter what business you are in, hackers will come after you, and security should be a top priority.

  3. Monday was the 26th not 27th 🙂

  4. Karma is a fat and ugly beast.

    • I don’t say this lightly. Rather than wait for Karma, it seems appropriate for the actors responsible for disrupting services at medical centers to be tracked down and taken off the board immediately. If the government where these actors are operating had any principles at all, they would do so. These are terrorists in the true sense of the term.

      • Agreed in principle, but if they’re in Russia, how do you do this? Only with Putin’s cooperation, unfortunately.

        • I don’t know, hire spies to kill them? Russians seem to have no problem doing it to their enemies.

        • I wondering if we’ve even had a conversation with Putin about it yet? it’s time to get serious.

          • Given that translator notes of meetings and calls between Putin and the US President are no longer being published or even recorded, nobody knows.

            Depending on what politics you follow, you probably think this has been discussed, but precisely how it was worded is what differs. I’ll leave it up to your imagination as to what that is rather than start a category 5 MAGA storm.

  5. Going after hospitals, is this retaliation for what Microsoft and U.S. CyberCommand did to Trickbot operators? Given the global pandemic and the strain healthcare systems are under, shouldn’t U.S. Cyber Command take lead on this and go after the Ryuk operators?

    Keep up the great work!

  6. Ronald Regans Ghost

    The (Ryuk), They’re doing this because we did this to their criminal merc friends in Syria.
    https://sofrep.com/news/russian-mercenaries-get-destroyed-by-us-military/

    But, like it told Soviet Premier Mikhail Gorbachev back in 1992 while visiting Nancy and myself at Rancho del Cielo. Gorbie, “Don’t mess with us, we’re tired of these games and just want to live in peace. Oh, and by the way, the sky is very big place and things sometimes fall on ones head, you should wear a big hat.”

  7. Sonoma Valley Hospital got hit about a week ago, I heard there is a ransom demand. They are a small hospital, I don’t think their IT staff was up to snuff. They have since hired a company to fix and secure their network. They got hit with a double wammy, back in August they had their domain name svh.com stolen by some Chinese hacker crooks. Brian, maybe you can explain how they got away with that one.

  8. Anonymous tip: It’s people within Prime Healthcare doing the randsomware attacks, they commit fraud before, and they are founded from India, so why not launch some cyber attacks and cripple other facility?

  9. For the love of all that’s good, please get a designer to make this site mobile-friendly. It’s 2020. There’s no excuse for having your website look unreadable on mobiles when literally every WordPress theme these days is responsive. Mobile traffic is now more than half of all traffic.

    • Although the site is perfectly viewable on a mobile, it’s the peerless quality of the content that sets this site apart. That said, I’m sure that Brian would be willing to give you a full pro-rated refund of your subscription until he can hire a team of designers to design something more aesthetically pleasing to you.

    • Reading mode on firefox worked correctly for me.

    • I agree. This site on mobile (phone) has been non-responsive for a long time. I’ve given up trying to read this site on my phone.

      Tons of more responsive WP themes out there, Brian. (I even offered to help – pro-bono – with a redesign when I complained about this maybe a year ago.)

  10. I love these articles and the insight they provide! Keep up the great work Brian!! Unfortunately our multi hospital network in VT/NY was hit last night. It is shocking to me that we seemingly as a society are behind the russians and others regarding our ability to protect ourselves. The longer we stay behind the less great of a country we will be as our money flows to the bad actors. Im sickened to think that we havent even touched the surface of what our cyber issues will look like. Everything that technology touches is at risk-political system (voting), media, healthcare, utilities, financials, manufacturing, etc. We need more cyber security minded individuals and better educational systems to get kids and everyone focused on protecting our country. I fear we are too late.

    • We need CxO level officers to devote money to security and take security seriously, not just an afterthought or something getting in the way of their grand vision. Because putting technology in place that can provide adequate controls is far more expensive than they realize. They all might even have to take a (gasp) pay cut to make it happen (no, not the workers, the top level execs). But we also need a workforce who also takes security seriously, who doesn’t blindly click on links to strange sites or attachments emailed to them from an unknown email address (even though it has the name of someone they know, the address almost never lines up). I like watching cat/dog videos as much as anyone but I’m also leery of social media and the disturbing amount of malware shared on them, especially via ad networks.

  11. According this article should I sell botcoins or buy bitcoins?
    Bitcoins going up or down?

  12. My hospital shut down access to gmail & google docs in response to this. Anyone else have this happen?

    • Your organization shouldn’t have access to anything related to Google. Period. This includes Gmail and docs. And Google search.

    • Sounds like a sound decision to me as long as some errant user is using Microsoft Office products along the way. You can train and train your clients/users, but somebody is always going to click on the wrong thing in the wrong kind of email.

    • I run medium size business network and I’m thinking about shutting down 3rd party email access. I can protect against malicious attachments with a bunch of tools/settings for corporate owned software. boom, you pop open your gmail and download a macro/doc, kill the network. (even though macros should be fully disabled, maybe you are on a system that GPO didn’t reach) ugh. I hate it.

  13. JUSTIN R ANDRUSK

    If only hospitals backed up their data….

  14. This is just a fear tactic. False flag. Gotta keep the American people scared so they’ll hide in their basement and be much easier to manipulate. PUT ON YOUR MASK!

  15. Mandiant published a list of domains and cert hashes. This is helpful, but not for individual use.

    I’m interested in the certs. At the least, people in critical infrastructure and health care should be trained to have a look at the certificate for web resources that they visit, and to assess whether a “domain validated” certificate (e.g. Lets Encrypt, Comodo, and others) is expected and reasonable. Cybercriminals have caught on that people have been erroneously taught that the lock icon means all is OK.

    Examining the certificate is not hard to do, but will take a little training. I think it’s worth the investment.

  16. I just contacted the IT team leader at my local hospital, and they are convinced their group policy settings, network topography, perimeter defense, and backup plan are sufficient to avert disaster in this attack. If a little hospital in a one dog town can do that, it makes you wonder what is going on in the larger agencies?

    • well you see, its because that one dog town hospital is lying to themselves and to you

    • Philip C VanDerHeyden

      While your attack surface may be smaller than other larger health entities, do not believe that technology can overcome all end user mistakes. It takes a robust effort across people, process and techology.

    • Oh they’re babes in the woods.. wait until someone clicks on a link on an unsupported system, like Windows 7, that is likely being used in many hospitals.

      • I agree, which is why I made some recommendations, but I doubt they will take my advice. Trying to get hospital administrators to take action can be a problem too; and he admitted to being very ignorant of IT concerns. I love my local hospital and just can’t stand by and not make an effort, at the very least.

  17. in Finland, the Vastaamo company operating 20 psychotherapy clinics was hacked and their data stolen. As the company refused to pay the ransom of 40 bitcoin, now about 40.000 individual patients are being extorted – the attackers threaten them with publishing their therapy records on the web unless they pay about 250$ each.
    Nothing they could have done to prevent this, as the fault lay with the clinic. What a mess.
    Reference https://www.theguardian.com/world/2020/oct/26/tens-of-thousands-psychotherapy-records-hacked-in-finland

  18. Heard reports of this happening today in Montreal at CIUSSS facilities. Particularly damaging because these orgs handle our covid testing results. I suspect this is directed way wider than the US.

  19. Is this new variant still using Emotet as a Trickbot dropper?

  20. Since Mr. Trump is on the campaign trail, he did try to stop the issuance of the Advisory.

    There should be a public outcry that President Putin get to the bottom of this.

    BTW Where are the transcripts of Mr. Trump’s prior conversations with President Putin.

  21. James Schumaker

    These Russian criminal hackers will be excellent candidates for rendition.

  22. By refusing to root out and prosecute the perpetrators of activity like this, the Russian government is implicitly endorsing this type of activity. They have no motivation to combat it. I believe it’s time to motivate them.

    For years we’ve heard about the all-out cyberwar that is to come. I believe it is here, but we’ve just been sitting it out. Until we start to strike back, this will continue without end.

    • …right now it’s against the law for intel to be used for law enforcement purposes (title 10 vs. title 50 – look up parallel construction), and individuals / companies are prevented under cfaa and other laws from striking back…

      …so elect people that will change the laws…

      • Doesn’t seem to stop Microsoft from taking over botnet servers.

      • https://www.soc.mil/528th/PDFs/Title10Title50.pdf

        “Title 10” is used colloquially to refer to DoD and military operations, while “Title 50” refers to intelligence agencies, intelligence activities, and covert action.
        Nothing to do with Civilian Law Enforcement.
        US Cyber Command DOES have Title 10 authority to strike back in cyber attacks. And they have lately publicly shown a few operations. NSA DOES have Title 50 authority to conduct covert operations in cyberspace, so their actions are not likely to be noticed.

        Some operations cannot be hidden. Think bombing an airfield. Some are naturally covert. Think raiding house. Sometimes covert missions have effects that are so big, they become public knowledge. Think raid on a stronghold/compound.
        In cyberspace, there are analogies to kenitic warfare.

        Computer Fraud and Abuse Act is not the primary law that prevents cyber vigilantism. The entire structure of domestic law enforcement prohibits civilians (event victims) from acting on the offensive.
        Not to mention the countless laws in other countries that an individual would be breaking.

        Common defense and intelligence treaties and international agreements are often used in legitimate cyber operations. Host countries often participate in major operations. And even without prior warning/cooperation, the diplomatic channels usually smooth it over. A civilian counter-attack will have none of this and will be regarded as criminal.

        Collateral damage is a real problem in warfare. It happens in Cyber Warfare too. “Targeting” is a serious profession in the military.
        Its like calling in a strike against a hospital, because the enemy is using it as cover and occasionally firing shots from the building.
        But in cyberspace, most enemies attack using platforms of non-combantants. VPNs, proxies, botnets, hosted C2, etc.

        There is no way for civilian individuals or companies to counter-attack legally, and for good reason.
        We DO NOT want civilians striking back. No matter how smart they “think” they are, they are going to cause collateral damage.

    • 100% what you said. perfect. it’s time to get serious about this. we need to make it hurt for Russia. personally I’m starting to get unreasonably mad at the WHOLE country of Russia because of this. (I’m just a little IT guy sitting in a corner waiting for a ransomware strike). How is there not crazy rage that they announced they want to take down hospital operations?!!?!?!?

  23. Not a single “media” report in the Mpls/St Paul metro plex of these attacks. They are to busy with their propaganda reports of the C-19 virus.

    • Plenty of this going around in the cities in the healthcare IT community. With Ridgeview being compromised everyone is panicked.

  24. Microsoft Windows. Crappy security for over 30 years.

    It has always been the primary vulnerability of any IT infrastructure.

    Many apologists will explain it away with excuses.

    It was built for developers without adequate security. That was always left as an afterthought.

  25. Shutting down hospitals and still not called terrorist, huh.
    Maybe when they start popping rods at nuke plants, crashing oil tankers and trains, governments will get off their ass and hunt them. Or maybe they will just sit back and laugh. It’s an odd world.
    These scum are continued proof how little humans are worth as a species.

  26. so if ransome payments of bitcoins?
    then what we should expecting?
    the btc will go up or the ransome guys will just dump the bitcoins??
    wich way it goes?

  27. Why do hospitals need to be connected to the Internet? Here’s a concept: have an internal network that runs the hospital. Then, have an external network for Internet information access. Then make sure that almost nothing goes between those two networks.

    Why is network segmentation such a hard concept?

    • Teleoperations by remote doctors comes to mind, but that could be done as you describe

    • DelilahTheSober

      Although my project will be tiny, this is exactly what I have proposed for the nonprofit that I’ve talked about starting for a few years now. We would be providing free laptops to residents of a specific group of low-income public housing projects. Even though it would be necessary to identify these residents with a photo ID, a piece of mail with their address on it, and some proof of income, I see no reason to ever scan those documents into a network that has access to the internet. Either everything goes into a filing cabinet or is stored on a computer that has no access to the internet.

      • I don’t know about where you live, but here in Upstate/Western NY, “nonprofits” helping “low income” people are very lucrative for the people running them! They get lots of tax dollars of course. Meanwhile the average working stiff can barely make ends meet.
        It seems to me, if they really want to help people, they should not get paid. I’m NOT saying that’s you since I don’t know you. Now I’ll get ready to get clobbered here!

    • This isn’t a new or complicated subject. It is just really, really expensive to build out completely separate networks for internal and external use. Many in the healthcare space are using VLANs and strict firewalls to try to accomplish the same goal more cheaply, but it isn’t quite as easy as many people try to make it sound.

  28. Did that chatter include why they are doing it now? Did they wait for the US election to near to help add pressure – same goes for the covid outbreak, were they waiting for it to take off again before launching their ransomware?

  29. What is the end game? How does this end? it needs to be U.S. sanctions against Russia. if you cause 50,000,000 in damage, we do something that hurts you more. Gov’t to Gov’t. OR we gain the ability to track crypto currency payments, but I’m not sure how much this helps as the bad guys are already making depots from crypto wallets to banks, and that has’t been tracked.
    ALSO, it’s a huge business that security vendors love. we are about to to buy the most expensive AV product we’ve ever purchased.
    it’s like the healthcare system; no one really care that there is an obesity problem because everyone profits from it. <- huge generalization but there has to be some truth there.

Leave a comment