A spike in criminal cyber activity leaves hospitals and healthcare delivery organizations open to a Ryuk ransomware attack. Here's what it is & what to do about it.
Government officials were recently warned that hackers are seeking to hold American hospitals' data hostage in exchange for ransom payments. A recent uptick in the Russian criminal underground suggests this is a massive coordinated campaign to disrupt the U.S. through cyberattacks against U.S. hospitals and healthcare delivery organizations, just as Coronavirus cases spike across the country. Cyber criminals are exploiting the overwhelming impact of COVID-19 as healthcare delivery organizations struggle to handle the influx of patients.
According to Alex Holden, the founder of Hold Security as reported in the New York Times, Russian Hackers, believed to be based in Moscow and St. Petersburg, have been trading a list of 400+ US hospitals that they plan to target. So far, the hackers have claimed to have infected more than 30 of them. Three government agencies - the F.B.I., the Department of Health and Human Services (HHS), and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) - warned hospital administrators that this is a credible threat.
What is the Threat?
The planned attacks are thought to be employing TrickBot, a modular trojan that targets sensitive information and acts as a dropper for other malware. This trojan is used in conjunction with Ryuk, a type of ransomware that locks computers while hackers demand ransomware payments to unlock them. These ransoms are based on factors like hospital size and perceived willingness to pay. The Ryuk strain of ransomware accounted for 75% of the attacks on the U.S. health-care sector during October, according to Checkpoint, and has caused massive disruption to hospitals and interrupted critical patient services.
According to Bloomberg, the hacking group responsible — known among some experts as UNC1878 and others as Wizard Spider — has already hit at least nine hospitals in three weeks, crippling critical computer systems and demanding multimillion-dollar ransoms. While officials and researchers did not name hospitals that has been affected, according to the New York Times, Sonoma Valley Hospital in California, two of St. Lawrence Health System's hospitals in New York: Canton-Potsdam and Gouverneur, and Sky Lakes Medical Center in Oregon were hit by ransomware attacks.
Hidden Motives Behind the Attacks
Whether this was a party motivated by the Kremlin to weaken pluralist resolve and confidence in the US election systems is so far unknown, as is any intended manipulation of results to favor one presidential candidate over another. The Russian state is known from past attacks to use freelance criminal proxies in the orchestration of some if not many of its cyberattacks. According to the Times, intelligence officials have reportedly found Russia interfering in the 2020 elections, using similar tactics in the 2016 elections.
This wave of ransomware attacks also comes on the precipice as the U.S. government attempt to crack down on Russian computer meddling, according to Bloomberg. U.S. Cyber Cyber Command issued a separate alert warning that Russian state-sponsored hackers had targeted ministries of foreign affairs and national parliaments to “spy, steal data & install malware.” Furthermore, the United States Cyber-Command, in coordination with Microsoft and other technology companies, managed to take down the majority of an extensive global TrickBot network a few weeks before this threat was first discovered. These attacks, therefore, may have even been an attempted retribution for cyber-criminals.
How to Prevent a Ryuk Ransomware Attack
In the wake of these potential attacks, the U.S. Government issued a joint cybersecurity advisory with the CISA, the FBI, and the HHS to help guide hospitals and health-care providers who may be victims of a malware attack. The advisory describes the tactics, techniques, and procedures used by cybercriminals to target healthcare delivery organizations. Specifically noting that TrickBot infections may be indicators of an imminent ransomware attack and system administrators should be on the lookout for anomalous activity that could be an indicator of compromise (IOC) and take steps to secure their network devices accordingly.
The American College of Clinical Engineering in support of its members, requested that Cylera and its threat intelligence entity CyleraLabs, based in Madrid, provide a deeper dive on the Ryuk ransomware family, and brief the ACCE membership on IOCs while providing advice to member hospitals how to prevent and recover from any such attack.
Listen to the Experts
Check out the latest virtual panel where healthcare thought leaders, including Clinical Engineering executives, Cyber Security specialists, CMOs, CISO's and MDs discuss preparedness for Ryuk and its impact on the healthcare industry.
The panel is comprised of:
- Dr. Saif Abed, Director of Cybersecurity Advisory Services at The AbedGraham Group
- Tracey K. Hughes, Sr. Director of Clinical Engineering at Duke Health
- Pablo Rincon Crespo, VP of Cybersecurity at Cylera
- Richard Staynings, Chief Security Strategist at Cylera