Hospitals hit with ransomware attacks as FBI warns of escalating threat to healthcare

Federal agencies warn that cybercriminals are escalating their extortion attempts against the healthcare sector even as hospitals are facing a nationwide surge in COVID-19 cases.

Several U.S. hospitals have already been targeted in ransomware attacks this week 

So far, St. Lawrence Health Systems in New York and the Sky Lakes Medical Center in Oregon have been targeted over the past few days, according to confirmed reports by CNN.

In a joint alert issued Wednesday evening, the FBI and two federal agencies warned they have "credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers."

The Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and the FBI issued the advisory to warn healthcare providers to ensure that they take "timely and reasonable precautions to protect their networks from these threats."

In the advisory (PDF), the agencies said malicious groups are targeting the sector with attacks that could lead to “data theft and disruption of healthcare services.”

RELATED: UHS hit with massive cyber attack as hospitals reportedly divert surgeries, ambulances

"These issues will be particularly challenging for organizations within the COVID-19 pandemic; therefore, administrators will need to balance this risk when determining their cybersecurity investments," the agencies said.

Mandiant, a cybersecurity firm, identified at least three attacks on Tuesday and one on Wednesday, with patients getting diverted to other hospitals as a result.

"We are experiencing the most significant cybersecurity threat we've ever seen in the United States," Charles Carmakal, Mandiant's senior vice president and chief technology officer told CNN.

A Trump administration official told CNN that several hospitals have been targeted in the attacks over the past two days, and while it's still early, the official said the incidents may be connected. The federal government is investigating the attacks, the official said, according to CNN.

St. Lawrence Health Systems confirmed in a statement to the news network that the virus has been identified as a new variant of Ryuk ransomware, previously unknown to antivirus software providers and security agencies.

In a statement sent to Fierce Healthcare, Carmakal said UNC1878, an Eastern European criminal threat actor, is deliberately targeting and disrupting U.S. hospitals with ransomware, forcing them to divert patients to other healthcare providers.

"UNC1878 is one of most brazen, heartless, and disruptive threat actors I’ve observed over my career. We are releasing a significant amount of information about UNC1878 to help organizations defend their networks," he said.

As a result of the attacks, patients may experience prolonged wait time to receive critical care.

RELATED: UHS breach shows the dangers facing hospitals with growing ransomware threats

"Multiple hospitals have already been significantly impacted by Ryuk ransomware and their networks have been taken offline. As hospital capacity becomes more strained by COVID-19, the danger posed by this actor will only increase," Carmakal said.

 On Twitter, Chris Krebs, director of the CISA, warned health care and public health individuals to have their "shields up! Assume Ryuk is inside the house. Executives - be ready to activate business continuity and disaster recovery plans. IT sec teams - patch, MFA, check logs, make sure you have a good backup point."


In October, Universal Health Services (UHS) was hit by a massive cyberattack that took down all of its IT systems.

UHS, which operates 400 hospitals and behavioral health facilities in the U.S. and the U.K., was hit with a notorious ransomware strain known as Ryuk, according to media reports. Affected hospitals had tp redirect ambulances and relocating patients in need of surgery to other nearby hospitals, according to media reports.

It took two weeks for the organization to fully restore its IT systems.

It's the latest in a stream of cyber attacks against the healthcare sector.

Cybersecurity firm CrowdStrike has tracked a disturbing trend in the last 18 months in which adversaries are moving beyond encrypting files to exfiltrating data and threatening to release it if demands are not met, according to Adam Meyers, senior vice president of intelligence at CrowdStrike, in a statement to Fierce Healthcare.

"In fact, in some cases, the attackers demand two ransoms—one to delete the data and another to decrypt it," Meyers said.

Over the coming years, these security threats will continue to accelerate around the world over as far more invasive and automated technology makes its way into the operating room, according to Daniel Norman, a senior solutions analyst at the Information Security Forum.

"Attackers will once again turn their attention to disrupting the health service by targeting poorly secured devices and systems, which will now start to have severe ramifications for human life," he said.