Hospitals and health-care providers across the United States have been hit this week by a coordinated attack from a ransomware gang that operates from Eastern Europe.
Beginning Monday, six hospitals including facilities in Oregon, California, and New York were targeted in the space of 24 hours by hackers, with some using a type of ransomware known as “Ryuk” that locks up a victim’s computer until a payment is received.
Analysts have said the group likely to be behind the attacks is known as Wizard Spider or UNC 1878. They warn that such attacks can disrupt hospital operations and potentially lead to loss of life.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning advisory (pdf) regarding the targeted attacks on Wednesday night, saying on Twitter that “there is an imminent and increased cybercrime threat to U.S. hospitals and healthcare providers.”
“CISA, FBI, and (the Department of Health and Human Services) have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers,” the advisory said. “CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.”
The federal agencies said hackers were targeting the healthcare sector, “often leading to ransomware attacks, data theft, and the disruption of health-care services.” The advisory warned that cybercriminals might use the Ryuk ransomware “for financial gain.”
Ryuk ransomware is seeded through a network of zombie computers called Trickbot that Microsoft began trying to counter earlier in October. While the company has had considerable success knocking Trickbot command-and-control servers offline through legal action, analysts say criminals have still been finding ways to spread Ryuk.
Security analyst have warned that the targeted attacks could potentially impact hundreds more hospitals nationwide.
Ransomware attacks have jumped 50 percent over the past three months, security firm Check Point said Wednesday, with the proportion of polled healthcare organizations impacted jumping to 4 percent in the third quarter from 2.3 percent in the previous quarter.
In September, all 250 U.S. facilities of hospital chain Universal Health Services were targeted in a ransomware attack, forcing employees to resort to using pencil and paper for patient records. Emergency room waits were delayed and wireless vital-signs monitoring equipment failed.
The Pennsylvania-based hospital health care service company was again targeted in this week’s attacks, CNN reported. New York’s St. Lawrence Health Systems and Oregon’s Sky Lakes Medical Center were also hit, resulting in the shut down of some procedures, such as computer-controlled cancer treatments and diagnostic imaging.
Highlighting the dangers of cyber criminal activity, John Riggi, senior advisor for cybersecurity and risk at the American Hospital Association (AHA) described a ransomware attack that causes a hospital to suspend patient care operations as “akin to a mass-casualty terrorist attack.”
“Like military attacks on hospitals, cyber attacks on hospitals violate all internationally accepted norms of warfare,” he said.
Ransomware has accounted for more than 70 percent of the successful cyber attacks on health care organizations in each of the past two years, Riggi said.
This particular method of cyber crime is being increasingly used by government and terrorist groups “as a way to level the playing field” against more powerful adversaries such as the United States, “which they know they could not defeat in a direct, head to head military confrontation,” Riggi explained.
“They know they are at less of a disadvantage by engaging in asymmetrical warfare, using difficult to attribute cyber attacks to achieve their foreign policy, military, and intelligence objectives. Unfortunately, and inexcusably, this sometimes either places hospitals directly in the crosshairs of the U.S.’s cyber adversaries, or makes them become foreseeable collateral damage.”
Reuters and The Associated Press contributed to this report.