UHS Hospitals hit by Ryuk ransomware, forced to shut down systems

Attackers will once again turn their attention to disrupting the health service by targeting poorly secured devices and systems, which will now start to have severe ramifications for human life.

Daniel Norman, Senior Solutions Analyst at the ISF.

Universal Health Services (UHS), one of the largest healthcare services provider, has reportedly shut down systems at healthcare facilities around the U.S. after a cyberattack hit its networks.

According to UHS, through its subsidiaries, the company operates 26 Acute Care hospitals, 328 Behavioral Health inpatient facilities, and 42 outpatient facilities and ambulatory care centers in 37 states in the U.S., Washington, D.C., Puerto Rico and the United Kingdom

At the time, UHS has no evidence that patient or employee data was accessed, copied or misused, the company says.

Daniel Norman, Senior Solutions Analyst at the London-based Information Security Forum, notes that the healthcare industry has been under immense pressure during the pandemic. “Staff shortages, lack of medicine, hospital beds and personal protective equipment have pushed the healthcare services to breaking point. In addition to these clear operational concerns, threats from the cyber domain remain apparent, invasive, and in some cases, deadly. Over the coming years, these security threats will continue to accelerate around the world over as far more invasive and automated technology makes its way into the operating room and in some cases, the human body. Attackers will once again turn their attention to disrupting the health service by targeting poorly secured devices and systems, which will now start to have severe ramifications for human life.”

Despite the healthcare sector standing out for its cyber approach (strong internal email protection, user awareness training and web security), it continues to fall victim to attack. In fact, in healthcare-specific research with HIMSS, cybersecurity firm Mimecast found that:

• 90% of healthcare organizations experienced email borne attacks in the past year, with 25% suffering from very or extremely disruptive attacks.
• Attacks that impersonated trusted vendors or partners were the most common cause of disruption (61%), followed by credential harvesting-focused phishing attacks (57%).
• Nearly three quarters (72%) of respondents experienced downtime as a result of an attack.
• Productivity was the most common type of loss (55%), followed by data (34%) and financial (17%).

Jeff Horne, CSO, Ordr, says, “Ransomware keeps making headlines as researchers warn of a seven-fold increase compared to last year. One ransomware variant that is particularly concerning is Ryuk, which has been attributed to North Korean and Russian threat actors. Ryuk can be difficult to detect and contain as the initial infection usually happens via spam/phishing and can propagate and infect IoT/IoMT devices, as we’ve seen with UHS hospital phones and radiology machines. Once on an infected host, it can pull passwords out of memory and then laterally moves through open shares, infecting documents, and compromised accounts.”

“Some threat actors are still piggybacking Ryuk behind some other trojans/bots like TrickBot, QakBot, and Emotet, and some of those can use the EternalBlue vulnerability to propagate. EternalBlue propagation has unfortunately been very successful in hospitals with WannaCry by compromising legacy systems running SMBv1 (like WindowsXP), and it’s crucial to be able to detect something like the EternalBlue exploit to discover malicious lateral movement. IoMT security is more critical than ever before, as we’ve recently seen patients die as a result of being held hostage,” adds Horne.

“The healthcare services have an outdated approach to security awareness, education and training. With this industry adopting new and emerging technologies, the requirement to educate and train the entire workforce on a range of cyber risks and threats is urgent. In addition, the safety and wellbeing of patients has historical been the top priority, so this mindset needs to translate into the security of systems and devices that will underpin the lives of many. Basic cyber hygiene standards need to be met, covering patching and updates, network segmentation, network monitoring and hardening, especially for technologies such as AI, robotics and IoT devices. Privacy should also be a high priority for anyone handling sensitive information, considering the shift towards storing patient records online,” adds Norman. “This is an exciting time for the healthcare industry but it is also dangerous. As technology-based solutions begin to flourish, so will the risks and threats accompanying them.”

Horne has four steps for any organization that has been hacked with ransomware:

1. Take stock of the situation: the first thing to find out is if the ransomware is propagating through your network and, if it is, you need to stop it by leveraging detection and response (XDR) or incident response tools. After you’ve done everything possible to isolate and get your machines off the infected network, the next step is to find out what you’re dealing with so do a simple search online and see if there’s a decryptor available so you don’t have to pay any ransom.
2. Look outside for help: If you can’t easily find a solution online or recover data from backup solutions, you have to open up a dialogue with the attacker. If your company has internal security expertise and cryptocurrency on hand, then this may be a task you can handle without outside help. If that’s not the case, you’ll have to enlist an outside, third-party provider that specializes in resolving ransomware attacks.
3. Test the codes: If you do have to enlist outside help, there’s usually a testing process that decrypts a sample of the network to prove the attacker does have the keys. You now know that they do have what you need to get your data back. But, I want to stress this: don’t try to negotiate. You’re dealing with an anonymous party so you have literally no leverage (and there’s no guarantee of recovery).
4. Decrypt the network: after you’ve tested the keys and paid the ransom, it could take days or even months to decrypt all of your data. That said, paying the ransom doesn’t necessarily mean you’ll actually get the decryption key or that it will work. Also, keep in mind that if you’re dealing with an older ransomware, you could be throwing money into a bucket no one’s monitoring anymore, so they’re not exchanging keys and you have less than a 50% chance of ever getting your data back.