The Cybersecurity and Infrastructure Security Agency (CISA), FBI and the U.S. Department of Homeland Security warned this week of an “imminent cybercrime threat to U.S. hospitals and healthcare providers.”
The crime in question involves a form of ransomware that a Russian cybercriminal gang known as UNC1878 plans to deploy in order to steal data from and disrupt the information technology systems of hundreds of hospitals, clinics and medical care facilities around the U.S., according to the agencies
, which say the alert is based on “credible information” they received.
“CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats,” said CISA in an alert issued this week.
Independent security experts assert the attack has already hit at least five U.S. hospitals this week and could potentially impact hundreds more, reported the Associated Press
The ransomware is called Ryuk and converts data into non-legible information that can only be accessed with software keys that are provided once the ransom has been paid. It is spread through a network of zombie computers called Trickbot, which both Microsoft and U.S. Cyber Command have reportedly tried to counter through legal processes, according to Reuters.
Alex Holden, founder of cybersecurity firm Hold Security, has been tracking Ryuk for almost a year and was monitoring for infection attempts at hospitals Friday, when he came across correspondence among cybercriminals associated with UNC1878. The criminals were discussing plans to deploy Ryuk at more than 400 healthcare facilities in the U.S. He alerted federal law enforcement that day, saying the group was demanding ransom above $10 million per target.
“One of the comments from the bad guys is that they are expecting to cause panic and, no, they are not hitting election systems,” Holden told the AP. “They are hitting where it hurts even more and they know it.”
He adds that he does not doubt that the Russian government is aware of the operation, though no suspected ties have been found between it and the gang.
Charles Carmakal, chief technical officer of the cybersecurity firm Mandiant, identified the group as UNC1878 and says it is “one of most brazen, heartless, and disruptive threat actors I’ve observed over my career.”
The timing of the attack coincides with the U.S. presidential election, raising concerns about election interference. No signs of this, however, have been reported. In addition, a total of 59 U.S. healthcare systems were hit by ransomware in 2020, disrupting patient care at up to 510 facilities, reports the AP.
To help providers protect against Ryuk, CISA, FBI and HHS have issued sets of network, ransomware and user awareness best practices, as well as recommended mitigation measures, from patching operating systems to disabling remote access, to regularly backing up data and password protect backup copies offline.
“The healthcare services have an outdated approach to security awareness, education and training. With this industry adopting new and emerging technologies, the requirement to educate and train the entire workforce on a range of cyber risks and threats is urgent,” said Daniel Norman, senior solutions analyst at the Information Security Forum, in a statement. “Basic cyber hygiene standards need to be met, covering patching and updates, network segmentation, network monitoring and hardening, especially for technologies such as AI, robotics and IoT devices.”