Large US hospital chain hobbled by Ryuk ransomware

US-based healtchare giant Universal Health Services (UHS) has suffered a cyberattack on Sunday morning, which resulted in the IT network across its facilities to be shut down.

Location of UHC facilities

What happened?

UHS operates nearly 400 hospitals and healthcare facilities throughout the US, Puerto Rico and the UK.

“We implement extensive IT security protocols and are working diligently with our IT security partners to restore IT operations as quickly as possible. In the meantime, our facilities are using their established back-up processes including offline documentation methods,” the company stated on Monday.

“Patient care continues to be delivered safely and effectively. No patient or employee data appears to have been accessed, copied or misused.”

No more details were shared about the nature of the “IT security issue” (as they chose to call it), leaving the door open for unconfirmed reports from professed insiders (employees at some of the affected facilities) to proliferate online.

A Reddit thread started on Monday is chock full of them:

• The attack involved ransomware – Ryuk ransomware, to be more specific
• It’s unknown how many systems have been affected, i.e., how widespread is the damage
• “All UHS hospitals nationwide in the US currently have no access to phones, computer systems, internet, or the data center”
• Ambulances are being rerouted to other hospitals, information needed to treat patients – health records, lab works, cardiology reports, medications records, etc. – is either temporarily unavailable or received with delay, affecting patient treatment
• “4 people died tonight alone due to the waiting on results from the lab to see what was going on”

Was it Ryuk?

While most of these reports have yet to be verified, it seems almost certain that ransomware is in play.

Bleeping Computer was told by an employee that the encrypted files sported the .ryk extension and another employee described a ransom note that points to Ryuk ransomware.

“Ryuk can be difficult to detect and contain as the initial infection usually happens via spam/phishing and can propagate and infect IoT/IoMT devices, as we’ve seen with UHS hospital phones and radiology machines. Once on an infected host, it can pull passwords out of memory and then laterally moves through open shares, infecting documents, and compromised accounts,” commented Jeff Horne, CSO, Ordr.

Justin Heard, Director of Security, Intelligence and Analytics at Nuspire, noted that up until recently, Ryuk was used solely to target financial services, but over the last several months Ryuk has been seen targeting manufacturing, oil and gas, and now healthcare.

“Ryuk is known to target large organizations across industries because it demands a very high ransom. The ransomware operators likely saw UHS as the opportunity to make a quick buck given the urgency to keep operations going, and the monetary loss associated with that downtime could outweigh the ransom demand,” he explained.

“Ryuk Ransomware is run by a group called Wizard Spider, which is known as the Russia-based operator of the TrickBot banking malware. Ryuk is one of the most evasive ransomware out there. Nuspire Intelligence has repeatedly seen the triple threat combo of Ryuk, TrickBot and Emotet to wreak the most damage to a network and harvest the most amount of data.”

Some ransomware operators have previously stated that they would refrain from hitting healthcare organizations. Despite that, the number of attacks targeting medical institutions continues to rise.

UPDATE (October 2, 2020, 1:15 a.m. PT):

UHS stated on Thursday that “the cyberattack occurred early Sunday morning, September 27, 2020, at which time all systems were quickly disconnected and the network was shut down in order to prevent further propagation.”

“The UHS IT Network is in the process of being restored and applications are being reconnected. We have a large number of corporate-level administrative systems, and the recovery process is either complete or well underway in a prioritized manner. We are making steady progress and are confident that we will be able to get hospital networks restored and reconnected soon,” the company said.

Major information systems, e.g., the electronic medical record (EMR) were not affected by the attack, they added, and there is no indication that “patient or employee data has been accessed, copied or misused.”

All UHS US facilities and none of the UK ones were affected by the attack.

The company did not say whether ransomware (Ryuk or other) is the cause of the disruption.