ALL NEWS

FBI warns ransomware assault threatens US health care system

Oct 29, 2020, 3:12 PM
FBI health care...
FILE - In this Nov. 1, 2017, file photo, traffic along Pennsylvania Avenue in Washington streaks past the Federal Bureau of Investigation headquarters building. In an alert Wednesday, Oct. 28, 2020, the FBI and other federal agencies warned that cybercriminals are unleashing a wave of data-scrambling extortion attempts against the U.S. healthcare system that could lock up their information systems just as nationwide cases of COVID-19 are spiking. (AP Photo/J. David Ake, File)
(AP Photo/J. David Ake, File)

BOSTON (AP) — Federal agencies warned cybercriminals are unleashing a wave of data-scrambling extortion attempts against the U.S. health care system designed to lock up hospital information systems, which could hurt patient care just as nationwide cases of COVID-19 are spiking.

In a joint alert Wednesday, the FBI and two federal agencies warned that they had “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.” The alert said malicious groups are targeting the sector with attacks that produce “data theft and disruption of healthcare services.”

The cyberattacks involve ransomware, which scrambles data into gibberish that can only be unlocked with software keys provided once targets pay up. Independent security experts say it has already hobbled at least five U.S. hospitals this week, and could potentially impact hundreds more.

The offensive by a Russian-speaking criminal gang coincides with the U.S. presidential election, although there is no immediate indication they were motivated by anything but profit. “We are experiencing the most significant cybersecurity threat we’ve ever seen in the United States,” Charles Carmakal, chief technical officer of the cybersecurity firm Mandiant, said in a statement.

Alex Holden, CEO of Hold Security, which has been closely tracking the ransomware in question for more than a year, agreed that the unfolding offensive is unprecedented in magnitude for the U.S. given its timing in the heat of a contentious presidential election and the worst global pandemic in a century.

The federal alert was co-authored by the Department of Homeland Security and the Department of Health and Human Services.

The cybercriminals launching the attacks use a strain of ransomware known as Ryuk, which is seeded through a network of zombie computers called Trickbot that Microsoft began trying to counter earlier in October. U.S. Cyber Command has also reportedly taken action against Trickbot. While Microsoft has had considerable success knocking Trickbot’s command-and-control servers offline through legal action, analysts say criminals have still been finding ways to spread Ryuk.

The U.S. has seen a plague of ransomware over the past 18 months or so, with major cities from Baltimore to Atlanta hit and local governments and schools hit especially hard.

In September, a ransomware attack hobbled all 250 U.S. facilities of the hospital chain Universal Health Services, forcing doctors and nurses to rely on paper and pencil for record-keeping and slowing lab work. Employees described chaotic conditions impeding patient care, including mounting emergency room waits and the failure of wireless vital-signs monitoring equipment.

Also in September, the first known fatality related to ransomware occurred in Duesseldorf, Germany, when an IT system failure forced a critically ill patient to be routed to a hospital in another city.

Holden said he alerted federal law enforcement Friday after monitoring infection attempts at a number of hospitals, some of which may have beaten back infections. The FBI did not immediately respond to a request for comment.

He said the group was demanding ransoms well above $10 million per target and that criminals involved on the dark web were discussing plans to try to infect more than 400 hospitals, clinics and other medical facilities.

“One of the comments from the bad guys is that they are expecting to cause panic and, no, they are not hitting election systems,” Holden said. “They are hitting where it hurts even more and they know it.” U.S. officials have repeatedly expressed concern about major ransomware attacks affecting the presidential election, even if the criminals are motivated chiefly by profit.

Mandiant’s Carmakal identified the criminal gang as UNC1878, saying “it is deliberately targeting and disrupting U.S. hospitals, forcing them to divert patients to other healthcare providers” and producing prolonged delays in critical care.

He called the eastern European group “one of most brazen, heartless, and disruptive threat actors I’ve observed over my career.”

While no one has proven suspected ties between the Russian government and gangs that use the Trickbot platform, Holden said he has “no doubt that the Russian government is aware of this operation — of terrorism, really.” He said dozens of different criminal groups use Ryuk, paying its architects a cut.

Dmitri Alperovitch, co-founder and former chief technical officer of the cybersecurity firm Crowdstrike, said there are “certainly lot of connections between Russian cybercriminals and the state,” with Kremlin-employed hackers sometimes moonlighting as cybercriminals.

Neither Holden nor Carmakal would identify the affected hospitals. Four health care institutions have been reported hit by the ransomware so far this week, three belonging to the St. Lawrence Health System in upstate New York and the Sky Lakes Medical Center in Klamath Falls, Oregon.

Sky Lakes acknowledged the ransomware attack in an online statement, saying it had no evidence that patient information was compromised. It said emergency and urgent care “remain available.”

The St. Lawrence system also acknowledged a Tuesday attack involving Ryuk, noting in a statement released Thursday that no patient or employee data appeared to have been accessed or compromised. Matthew Denner, the emergency services director for St. Lawrence County, told the Adirondack Daily Enterprise that the hospital owner instructed the county to divert ambulances from two of the affected hospitals for a few hours Tuesday.

Increasingly, ransomware criminals are stealing data from their targets before encrypting networks, using it for extortion. They often sow the malware weeks before activating it, waiting for moments when they believe they can extract the highest payments, said Brett Callow, an analyst at the cybersecurity firm Emsisoft.

A total of 59 U.S. health care providers or systems have been impacted by ransomware in 2020, disrupting patient care at up to 510 facilities, Callow said.

Carmakal said Mandiant had provided Microsoft on Wednesday with as much detail as it could about the threat so it could distribute details to its customers. A Microsoft spokesman had no immediate comment.
—-
Associated Press writers Eric Tucker in Washington, D.C., Lisa Baumann in Seattle, Deepti Hajela in New York City and Michael Hill in Albany, N.Y. contributed to this report.

Today’s Top Stories

All News

At least 127 people are dead and hundreds more injured, police say, after chaos and violence erup...
Heather Chen, Raja Razek and Kareem El Damanhoury, CNN

Indonesia stadium riot: At least 127 people reported dead following soccer match, police say

At least 127 people are dead and hundreds more injured, police say, after chaos and violence erupted late on Saturday following an Indonesian league soccer match between two of the nation's biggest teams.
1 day ago
The National Archives has told the House Oversight Committee that certain presidential records from...
Whitney Wild and Katelyn Polantz, CNN

National Archives says it still doesn’t have all Trump White House records

The National Archives has told the House Oversight Committee that certain presidential records from the Trump administration remain outstanding, citing information that some White House staff used non-official electronic systems to conduct official business.
1 day ago
Sister Tracy Y. Browning, second counselor in the Primary general presidency, speaks during the Sat...
Waverly Golden

Saturday morning conference session makes history

During the Saturday morning session of the 192nd Semiannual General Conference of The Church of Jesus Christ of Latter-day Saints, Sister Tracy Y. Browning became the first Black woman to ever speak at a general conference.
1 day ago
u of u student arrested...
Waverly Golden

Other paths to consider when thinking about attending college

Following the student loan forgiveness announcement, college is on everyone's mind. Dave Noriega takes an in-depth look at the alternatives.
1 day ago
Around 1:02 p.m. this afternoon, a pickup truck with two occupants ended up in a ditch filled with ...
Waverly Golden

Pickup truck crash leaves two dead

The Utah Department of Public Safety says the occupants, a male driver and passenger sustained fatal injuries. 
1 day ago
Firefighter Fred Woods assesses damages at Tragedy Springs (Jonathan Pierce Calfire)...
Dan Bammes

The sad history of Tragedy Spring

The Mormon Battalion historic site, high in the Sierras is in sad shape after windstorms and wildfires.
1 day ago

Sponsored Articles

Young woman receiving laser treatment...
Form Derm Spa

How facial plastic surgery and skincare are joining forces

Facial plastic surgery is not only about looking good but about feeling good too. The medical team at Form Spa are trained to help you reach your aesthetic outcomes through surgery and through skincare and dermatology, too.
large group of friends tohether in a park having fun...
BYU MBA at the Marriott School of Business

What differentiates BYU’s MBA program from other MBA programs

Commitment to service is at the heart of BYU’s MBA program, which makes it stand out among other MBA programs across the country.
a worker with a drill in an orange helmet installs a door in the house...
Price's Guaranteed Doors

Home improvement tip: Increase the value of your home by weatherproofing doors

Make sure your home is comfortable before the winter! Seasonal maintenance keeps your home up to date. Read our tips on weatherproofing doors.
Curb Appeal...
Price's Guaranteed Doors

How to have the best of both worlds for your house | Home security and curb appeal

Protect your home and improve its curb appeal with the latest security solutions like beautiful garage doors and increased security systems.
A paper reading IRS, internal revenue service is pictured...
Jordan Wilcox

The best strategies for dealing with IRS tax harassment | You have options!

Learn how to deal with IRS tax harassment. This guide will teach you how to stop IRS phone calls and letters, and how to handle an IRS audit.
spend a day at Bear Lake...
Bear Lake Convention and Visitors Bureau

You’ll love spending the day at Bear Lake | How to spend a day at Bear Lake

Bear Lake is a place that needs to be experienced. Spend a day at Bear Lake.
FBI warns ransomware assault threatens US health care system