A fresh wave of ransomware attacks has struck almost two dozen United States hospitals and health care organizations in recent weeks, just as Covid-19 cases spike across the US. According to US intelligence agencies and cybersecurity professionals, the situation could soon become much worse.
On Wednesday evening, the Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, and Department of Health and Human Services warned that there is a "an increased and imminent cybercrime threat to US hospitals and health care providers," above and beyond the wave of attacks that have already occurred. The alert points to the notorious Trickbot trojan and Ryuk ransomware as the primary hacking tools involved in the attacks. Security analysts at private companies say that the activity is tied to the Russian criminal gang sometimes called UNC 1878 or Wizard Spider.
Ransomware actors have for years targeted hospitals, because locking up a health care organization's digital systems can threaten patient care and create maximum urgency to pay up and recover. More recently, both rate of infections against the industry and the demands themselves have exploded; antivirus firm Emsisoft found that the average ransomware ask has increased from about $5,000 in 2018 to about $200,000 this year, with multimillion-dollar demands becoming increasingly common. Last month, the provider Universal Health Services was hit with a Ryuk attack that rippled through its 250 US hospitals and clinics, crippling digital services and impacting facilities around the country.
Even so, the current spree of infections marks an alarming shift in how aggressive financially motivated ransomware groups have become, and how far they're willing to go.
"This is to me the most significant cyber threat that we’ve experienced in the US to date," says Charles Carmakal, senior vice president and chief technical officer of the cybersecurity firm Mandiant, which is owned by FireEye. "There is a moral line that every person, just as a human being, recognizes exists—when you do something knowing that you are potentially impacting somebody’s life you’ve crossed the line. So there’s a very clear crossing of the line by this threat actor. This group is incredibly brazen, heartless, relentless."
The attacks may not match the devastation of the Russian government's critical infrastructure attacks in Ukraine, but they have hobbled victim hospitals around the country, including in California, Oregon, and New York. In many cases, victims have had to reschedule appointments, delay procedures, or refer patients to other facilities to receive timely care.
The US government alert lays out recommendations and best practices for how hospitals can protect themselves, and private firms like Mandiant have been sharing "indicators of comprise" as well, so health care facilities can monitor their systems extra closely and try to head off potential attacks. One major concern is that hundreds of organizations may have already been compromised by attackers, and that ransomware or the means to deploy it is lurking until the hackers decide to trigger it.
New infections could continue as well. Experienced, well-resourced ransomware groups like UNC 1878 can move quickly to deploy ransomware once they compromise a target if they choose to, but there is still generally a window to catch and prevent an attack. And organizations can also be prepared to quickly remediate a successful ransomware attack and get their systems back online through safeguards like backups and tools specially developed to recover from Ryuk. Some firms, like Emsisoft, are offering their services for free right now to health care organizations.
"I have two US customers in the health care industry and it appears they were compromised by a shared administrative interface that was used to deploy malware into these environments," says Greg Linares, a researcher at the security firm CyberPoint. "Right now we're working with the teams to minimize this story. That means we got rid of the malware before it deployed versus the story in a week or so that could say 100-plus hospitals got hit by ransomware."
Ryuk has been used before in bold and dangerous attacks across a variety of sectors and corporations. Last October, the Canadian Centre for Cyber Security warned of one such international spree, and it seems that the current rash of hospital attacks has reached Canada as well.
The question now, though, is how to handle the rapidly deteriorating situation given that UNC 1878 seems willing to go to any lengths to generate ransomware revenue and could set a dangerous example for other digital crime groups.
"This is a big deal," says John Hultquist, director of intelligence at FireEye. "I've been looking at state cyberattacks my whole career, and I can't think of any that rivals this in terms of danger to the public."
If countries like Russia won't rein in mercenary hackers in their jurisdictions, Hultquist says the international community must either force them to do so or take other action to disrupt the criminal operations. But no one group, whether it's the US government or any other entity, can do this unilaterally. Ransomware has become an urgent global problem that can only be solved through immense, and swift, global cooperation.
Some efforts along those lines have already taken place. Just two weeks ago, US Cyber Command, Microsoft, and a number of cybersecurity firms independently attempted to disrupt the Trickbot botnet, but the gut punch didn't keep the malware from quickly resurfacing. The successful wave of hospital attacks may also bode poorly for Election Day, an obvious high-urgency event on the immediate horizon. Digital extortionists trying to capture as many ransom payments as possible could wreak havoc across multiple industries and sectors—leaving disruptive and potentially destructive collateral damage in their wake.
"The ransomware problem is bad, it was bad years ago, it was worse months ago, then untenable a few weeks ago, and unfortunately it just got worse over the last few days," Mandiant's Carmakal says. "We have to create awareness of this problem."