Alyza Sebenius, William Turton and Michael Riley (Bloomberg) -- A Russia-based ransomware group responsible for a new wave of attacks against U.S. hospitals is laying the groundwork to cripple at least ten more, according to the cybersecurity firm Prevailion Inc.
Prevailion’s analysis comes a day after the FBI and two other federal agencies issued a warning about an imminent and credible threat to hospitals and health-care providers from cyber-attacks, including ransomware capable of locking entire computer networks.
The hacking group responsible -- known among some experts as UNC1878 and others as Wizard Spider -- has already hit at least nine hospitals in three weeks, crippling critical computer systems and demanding multimillion-dollar ransoms.
The health-care attacks have been ongoing since at least September, according to the cybersecurity firm Crowdstrike. The victims included Sky Lakes Medical Center in Klamath Falls, Oregon, where doctors are struggling to keep track of patient medications and other critical information on paper rather than the digital systems they normally use.
“The increased workload is astronomical for all hospital employees and will inevitably have an impact on patient care,” said one of the hospital’s doctors, who wasn’t authorized to speak to the press and asked not to be named.
The timing of the latest wave of attacks – coming as the U.S. nears 9 million coronavirus infections and hospitalizations surge – has unsettled security experts used to the ruthlessness of global cyber gangs.
“Certainly no cyber crime is good, but this really is despicable and evil,” said Karim Hijazi, Prevailion’s chief executive.
Prevailion has gained access to the communications that the Russian hackers are using to control computers inside U.S. hospitals, as well as other victims worldwide. That data shows that the hackers have infiltrated at least 440 organizations globally, including government agencies, pharmaceutical companies and universities, Hijazi said.
But it’s the targeting of medical care facilities that is most worrying. The infected organizations include hospitals in New Jersey, Georgia, Florida, Massachusetts, Texas and Arkansas, according to data provided by Prevailion. “It’s abundantly clear that the group is really zeroing in on U.S. hospitals,” Hijazi said.
Ransomware is a type of malware that locks computers while hackers demand ransom payments to unlock them. In the most recent spate of attacks, ransoms vary based on factors like hospital size and perceived willingness to pay, according to Charles Carmakal, the strategic services chief technology officer at the cybersecurity firm FireEye Inc. He said ransom demands in the current attacks have been in the seven- and eight-figure range.
Last year, ransom demands by the group included $5.5 million and $12.5 million, according to Adam Meyers, Crowdstrike’s vice president of intelligence.
The U.S. Government issued a joint cybersecurity advisory last week to guide hospitals and health-care providers who may be victims of a malware attack. In it, the agencies highlighted the damage that the malicious tools used by attackers -- Trickbot, a so-called botnet of infected computers, and Ryuk, a type of ransomware -- can cause, and how swiftly they may steal medical data.
“Trickbot infections may be indicators of an imminent ransomware attack,” according to the advisory. “System administrators should take steps to secure network devices accordingly.”
As Covid cases have spiked across the U.S., so have ransomware attacks on health-care providers. The U.S. health-care sector endured a 71% increase in ransomware attacks in October, compared to September, the most among U.S. industry sectors, according to the cyber-research firm Check Point Software Technologies Ltd.
The Ryuk strain of ransomware accounted for 75% of the attacks on the U.S. health-care sector in October, according to Checkpoint.
”I think the timing, at a minimum, is interesting,” said John Riggi, senior adviser for cybersecurity and risk at the American Hospital Association. “I think adversaries know how distracted and consumed we are with the election. Hospitals are dealing with an uptick in Covid cases. With our resources stretched thin, it puts us in a higher risk situation.” -
Several hospital companies have reported being struck by cyber-attacks in recent days, including the University of Vermont Health Network, which includes six hospitals.
Those attacks aren’t included in Prevailion’s analysis, which only picks up networks that are infected but where the malicious payload hasn’t yet detonated. Hijazi said his firm was working with other cybersecurity researchers to reach out to the hospitals to make sure they were aware of the potential threat. He wouldn’t identify the hospitals whose networks were infected.
The wave of attacks have unsettled medical workers, some of whom are struggling to handle an influx of Covid patients.
“Trickbot is a massive botnet that’s really hard to smother,” said Christian Dameff, an emergency room doctor and medical director of cybersecurity at UC San Diego Health. “You can take the wind out of its sails, but I don’t think anyone is under the illusion that it can be taken down easily.”
A doctor at one of the affected hospitals who requested anonymity said her biggest fear is an avoidable death caused by a lack of access to computers. “All of our computers are off and we are running entirely on paper charting, using fax machines to communicate between different parts of the hospital,” the doctor said.
“There are established procedures for this so we have adapted quickly. We just aren’t used to relying on these back-up procedures for more than a few hours at a time,” she said. “This is unfortunately a perfect set up for important information to get missed or not come back fast enough and for patients to get harmed.”
The wave of ransomware attacks comes as the U.S. government has attempted to crack down on Russian computer meddling. U.S. Cyber Command last Thursday issued a separate alert warning that Russian state-sponsored hackers had targeted ministries of foreign affairs and national parliaments to “spy, steal data & install malware.”
Two weeks ago, the Department of Justice charged six current and former members of Russia’s military intelligence agency for allegedly carrying out some of the world’s most destructive hacking attacks, leading to billions of dollars of losses in recent years. Two days later, the U.S. government warned that Russia has been targeting U.S. government agencies since at least September and may be planning more severe attacks surrounding Election Day.
--With assistance from Kartikay Mehrotra and John Tozzi.