Some US hospitals have been hit by simultaneous ransomware attacks, structured to cause harm to healthcare systems. These attacks were carried out by cyberattackers in Eastern Europe seeking financial gain, experts at the cybersecurity firm FireEye’s Mandiant division told NPR.
Ransomware is a malicious software that accesses and takes over the victim’s data. It then threatens to publish it or to keep the victim blocked from their own data unless a ransom is paid.
Many hospitals across the US have been vulnerable to ransomware attacks ever since the beginning of the pandemic. Ransomware attacks have been targeting US hospitals since July. St Lawrence Health Systems in New York, and the Sky Lakes Medical Centre in Oregon have admitted to being victims of ransomware attacks recently. Other hospitals have also expressed their concerns.
The virus used to attack St Lawrence Health Systems has been identified as Ryuk ransomware. The ransomware has often been delivered using the TrickBot botnet. Both TrickBot and Ryuk are linked to earlier attacks operating from Russia.
Ryuk is largely used to attack enterprises. The ransomwareidentifies and encrypts network drives and resources, along with deleting shadow copies at the end. Without external backups or rollbacks, it is almost impossible to recover from a Ryuk attack.
The virus usually enters the victim’s system through spam emails sent from spoofed addresses. Such attacks usually begin when a user opens a Microsoft Office document attached to the phished email. This enables the download of Trojan Emotet, which then downloads TrickBot in the system of victims. TrickBot works as a spyware, collecting all the details of the victim, knowing their assets and then asking for ransom.
The US Cybersecurity and Infrastructure Security Agency (CISA) released a warning on October 28, 2020 addressing the issue of ransomware attacks on hospitals and other healthcare systems. “CISA, FBI, and (the Department of Health and Human Services) have credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers. CISA, FBI, and HHS are sharing this information to warn healthcare providers to ensure that they take timely and reasonable precautions to protect their networks,” read the advisory.
The CISA advised hospitals to create a backup. “Shields up!Assume Ryuk is inside the house. Executives, be ready to activate business continuity and disaster recovery plans. IT sec teams, patch, MFA, check logs, make sure you have a good backup point,” warned Chris Krebs, director of CISA.
Mandiant, a cybersecurity firm working with the government on the issue, said they identified some of the attacks. “An Eastern European financially motivated threat actor, is deliberately targeting and disrupting US hospitals, forcing them to divert patients to other healthcare providers. Patients may experience prolonged wait time to receive critical care,” said Charles Carmakal, SVP and CTO of Mandiant, in a press statement.