US federal authorities have issued a joint cybersecurity advisory warning hospitals and healthcare providers that they’re in danger of being targeted by a ransomware attack. A number of providers in the US had fallen victim to cybercriminals taking their networks hostage in exchange for money in the past. It’s not a new scheme, but officials say they’ve received “credible information” of a “increased and imminent cybercrime threat” to the industry. The advisory was issued by the FBI, the Department of Health and Human Services (HHS) and Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
While the officials didn’t talk at length about the increased threat, Alex Holden of cyber intelligence firm Hold Security told authorities that the criminals involved were discussing plans on the dark web to infect over 400 hospitals and other medical facilities. “One of the comments from the bad guys is that they are expecting to cause panic and, no, they are not hitting election systems,” he said. “They are hitting where it hurts even more and they know it.”
Charles Carmakal from cybersecurity firm Mandiant identified the group behind the threats as Russian-speaking criminal gang UNC1878. He called the group “one of most brazen, heartless, and disruptive threat actors” he’s ever seen and said it’s been deliberately targeting hospitals in the middle of a global pandemic. Coronavirus cases and deaths have been on the rise in the US, reaching record numbers these past few days.
According to the authorities’ advisory, the attackers are using the Trickbot malware to deliver Ryuk ransomware to victims’ networks. Ryuk first appeared in 2018 and has become one of the most notorious ransomware since then — just last month, it was used in the attack against Universal Health Services, forcing facilities to redirect patients to other hospitals. Some providers like the Sonoma Valley Hospital in California and the St. Lawrence Health System in New York were hit by ransomware attacks this past week, but it’s unclear if they’re part of this particular campaign. Holden says the cybercriminals demanded $5 to $10 million in payment, or double the amount they used to ask just a few months ago.
In their advisory, the authorities advise against paying ransom as it may “embolden adversaries to target additional organizations” and “encourage other criminal actors to engage in the distribution of ransomware.” They’re encouraging healthcare providers to patch their systems as a precautionary measure or to contact the FBI and other authorities if their networks had already been infected.