A hacking group is deliberating targeting US hospital systems with the Ryuk ransomware, according to security researchers.
On Tuesday, the St. Lawrence Health System in New York reported that three hospitals had been hit with the notorious Ryuk strain. On the same day, the Sky Lakes Medical Center in Oregon also came under attack from the ransomware, which can render computer systems completely useless.
Two security firms, Hold Security and FireEye’s Mandiant, now say the cybercriminals behind the attacks are going out of their way to target hundreds of medical providers.
“On Monday, we saw more indicators from the cyber criminals, who stated that they were targeting hundreds of ‘US hospitals, various medical facilities, and clinics’” Alex Holden, chief information security officer for Hold Security, told PCMag in an email. (Security journalist Brian Krebs was first to report the news.)
Ransomware works by infecting a computer, and then encrypting all the files on board. To release the data, victims have to pay the hackers usually in Bitcoin, or else see their files deleted for good.
However, the attacks can potentially cause real-world harm when targeting a medical provider, where doctors are seeing patients and sometimes conducting emergency surgery.
Fortunately, the St. Lawrence Health System and Sky Lakes Medical Center both say they were able to deliver care to patients, despite the ransomware attacks. “While the organization's computer systems have been compromised, so far there is no evidence that patient information has been compromised,” Sky Lakes added in a statement.
FireEye’s Mandiant group has been tracking the ransomware attacks, and says an Eastern European-based group dubbed “UNC1878” has been behind the assaults. “The operators conducting these campaigns have actively targeted hospitals, retirement communities and medical centers, even in the midst of a global health crisis, demonstrating a clear disregard for human life,” Mandiant wrote in a report sent to PCMag.
According to Mandiant, UNC1878 has been targeting the medical providers by sending phishing emails. The messages will feature a Google Docs document that contains a link to a malicious payload disguised as a seemingly legit file.
The “emails masquerade as generic corporate communications, including follow-ups about documents and phone calls or emails crafted to appear related to complaints, terminations, bonuses, contracts, working schedules, surveys or queries about business hours,” Mandiant added. In some cases, the phishing emails will also contain the recipient’s name, employer and even corporate logos.
The phishing emails are designed to help the hackers establish a foothold in the victim's network, enabling them to explore and then spread the ransomware over the IT systems.
Hold Security declined to reveal how it determined the hackers were targeting hundreds of hospitals. "I'm trying to keep our vantage point confidential to keep getting intel about new infections... so I'd say vaguely that the data was obtained from the cyber criminal exchanges," Holden said in an email.
His company has already notified law enforcement about the potential attacks. And according to CyberScoop, the FBI and US Department of Homeland Security held a call on Wednesday to brief the private sector about the looming threat.