Critical Infrastructure Security , Cybercrime as-a-service , Fraud Management & Cybercrime

US Hospitals Warned of Fresh Wave of Ransomware Attacks

Warning From CISA nd FBI Follows Reports of Several Hospitals Hit With Malware
US Hospitals Warned of Fresh Wave of Ransomware Attacks

The FBI and the U.S. Cybersecurity and Infrastructure Security Agency are warning hospitals about a fresh wave of Ryuk ransomware attacks that have recently targeted healthcare facilities around the country.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

The joint alert issued Wednesday, which includes input from the U.S. Department of Health and Human Services, follows several media reports that hospitals across the U.S. have been attacked by ransomware over the past week.

This includes ransomware attacks against several facilities owned by St. Lawrence Health System in New York and an incident involving the Sky Lakes Medical Center in Oregon.

The motive behind this recent rash of ransomware attacks appears to be financial gain, according to the joint alert.

"CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers," according to the joint alert. "CISA, FBI and HHS are sharing this information to provide a warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats."

This series of attacks prompted a call among the FBI, the Department of Homeland Security and the administrators of several large hospitals on Wednesday to discuss the security issues and response, according to Reuters.

After a dormant period starting in March, Ryuk activity has surged since the end of the third quarter, says Bill Siegel, the CEO of incident response firm Coveware. This not only includes attacks against hospitals and healthcare facilities, but also an incident involving French IT services company Sopra Steria earlier this month (see: French IT Services Firm Confirms Ryuk Ransomware Attack).

Ransomware attacks against hospitals have also prompted lawmakers to raise concerns about these facilities' cybersecurity practices, especially as healthcare entities face recent increases in COVID-19 cases, which could then impact the care of patients (see: Senator Demands Answers on Universal Health Services Outage).

Trickbot Suspected

The joint alert Wednesday notes that several recent attacks against hospitals and healthcare facilities have started with the deployment of the Trickbot malware within infected devices. Originally a banking Trojan, Trickbot has been revamped over the years to acts as a "dropper" that can deliver other malware such as ransomware, according to the alert.

The alert notes the FBI has found that the operators behind Trickbot started to use a new backdoor called Anchor in 2019 as a way to communicate with a command-and-control server. This malware allows malicious traffic to blend in with normal traffic by using DNS tunneling techniques.

"These attacks often involved data exfiltration from networks and point-of-sale devices," according to the alert. "As part of the new Anchor toolset, Trickbot developers created AnchorDNS, a tool for sending and receiving data from victim machines using Domain Name System (DNS) tunneling."

The Anchor backdoor can also be used to steal credentials as well as deliver malicious payloads such as the Ryuk ransomware, to compromised networks and devices, according to the joint alert.

Over the years, security researchers have observed threat actors using a combination of the Emotet botnet along with Trickbot to deliver Ryuk to multiple victims.

Earlier this month, Microsoft and several security partners and U.S. government agencies announced an operation that targeted Trickbot's infrastructure to disrupt the botnet's activities. And while Microsoft has claimed that it's disrupted more than 90% of the infrastructure, other security firms such as CrowdStrike believe its operators are quickly working to rebuild the botnet (see: Trickbot Rebounds After 'Takedown').

But this week, the security firm Sophos published an analysis that found the operators of Ryuk had started to use a new malware-as-a-service tool over the past two months to deliver the ransomware to potential victims (see: Ryuk Ransomware Delivered Using Malware-as-a-Service Tool)


Charles Carmakal, senior vice president and CTO security firm FireEye Mandiant, noted that the group behind these hospital attacks, which the company calls UNC1878, have been deliberately targeting healthcare facilities with ransomware to turn a profit.

"UNC1878, an Eastern European financially motivated threat actor, is deliberately targeting and disrupting U.S. hospitals, forcing them to divert patients to other healthcare providers," Carmakal says. "Patients may experience prolonged wait time to receive critical care. Multiple hospitals have already been significantly impacted by Ryuk ransomware and their networks have been taken offline."

Brett Callow, a threat analyst at security firm Emsisoft, notes that the firm has confirmed over 60 ransomware attacks against U.S. healthcare organizations and hospitals since the start of the year, which have caused disruptions at nearly 500 facilities.

It's not clear, however, if this latest round of attacks involving Trickbot and Ryuk represents an uptick in activity or that law enforcement and hospital officials are taking notice of this particular threat group's activities, Callow says.

"The Ryuk operators have a very long track record of attacking the public sector, including healthcare providers, causing multiple government agencies to issue alerts," Callows tells Information Security Media Group. "At this point, I do not have sufficient information to be able to say whether the current attacks are indicative of an unusual campaign, or whether it’s simply a case of business as usual."


As usual, the FBI and CISA are asking hospitals not to pay the ransom if they are targeted and to contact law enforcement officials.

"Payment does not guarantee files will be recovered," according to the alert. "It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities."

The alert notes that healthcare organizations should at least patch any operating systems, network equipment and applications that have known vulnerabilities, change administrative passwords frequently, disable Remote Desktop Protocol access if not needed, use multifactor authentication and create backups to help speed recovery.

Managing Editor Scott Ferguson contributed to this report.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.