Criminal Russian hackers have launched massive ransomware attacks against more than 400 hospitals and medical institutions across the United States, confirming federal law enforcement agencies and private U.S. cybersecurity firms.
Acting on tips from cybersecurity firms such as KrebsOnSecurity and Hold Security LLC, the joint federal task force revealed a cybercrime threat to U.S. hospitals and health care providers by the notorious Russian cybercriminal group called "Ryuk." This group is also known by the threat actor classification, "UNC1878."
"CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and health care providers," said a task force statement.
The task force said they were sharing the information "to provide warning to health care providers to ensure that they take timely and reasonable precautions to protect their networks from these threats."
The task force includes the FBI, the U.S. Department of Health and Human Services, and the Cybersecurity and Infrastructure Security Agency (CISA).
Executives from Hold Security based in Wisconsin intercepted online communications this week among hackers working for Ryuk. Alex Holden, the company's Chief Information security officer, said the hackers discussed plans for a ransomware attack against more than 400 health care facilities in the U.S. This information was immediately shared with the government.
There are already confirmed reports of new ransomware attacks on health care systems in the U.S. Of the five victims thus far, three have been identified: the Sky Lakes Medical Center in Oregon; hospitals belonging to the St. Lawrence Health System in New York State and the Ridgeview Medical Center in Minnesota.
Charles Carmakal, senior vice president at Mandiant, pointed out UNC1878 is one of most brazen, heartless, and disruptive threat actors he's observed in his career.
"Multiple hospitals have already been significantly impacted by Ryuk ransomware and their networks have been taken offline," said Carmakal.
For its ransomware attacks, Ryuk uses a strain of ransomware known as Ryuk (hence the group's name). The Ryuk malware is seeded through a network of zombie computers called Trickbot.
Cybercrime experts said the malware infrastructure used by Ryuk is often tailor-made for each victim. This customization includes the Microsoft Windows executable files used to infect the target's computers and the "command and control" servers used to transmit data between and among compromised systems.
Cyber threat intelligence firm Check Point Research said ransomware attempts jumped 50% over the last three months compared to the first half of this year. It said hospitals and health care organizations have been the hardest hit by the relentless ransomware attacks.
Check Point said typical ransomware attacks demand several hundred thousand dollars but some hackers have demanded more than $5 million. Hospitals are often targeted because criminals know they're more likely to pay huge amounts to save patients' lives.
