Russian Hackers Target US Hospitals in Ransomware Attack

By Paul Ausick Published Oct 29, 10:51AM EDT

Follow 24/7 Wall St. on Google

This post may contain links from our sponsors and affiliates, and Flywheel Publishing may receive compensation for actions taken through them.

Russian Hackers Target US Hospitals in Ransomware Attack — © gorodenkoff / Getty Images

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Department of Health and Human Services (HHS) on Wednesday issued a cybersecurity advisory describing a ransomware attack against U.S. health care targets “to infect systems with Ryuk ransomware for financial gain.” The agencies’ warned of an “imminent threat to U.S. hospitals and healthcare providers.”

As of Thursday morning, CNN had confirmed two targets: St. Lawrence Health Systems in Potsdam, New York, and Sky Lakes Medical Center in Klamath Falls, Oregon. At least six attacks had been reported, and a larger number is likely. Health care providers in Minnesota and Vermont also have been reported as victims of the attack.

Charles Carmakal of cybersecurity firm Mandiant told CNN that the United States is “experiencing the most significant cyber security threat we’ve ever seen.” The attacks are forcing hospitals to try to find other providers and that drives up the wait time for patients to receive critical care.

If the ransomware attack cannot be limited, the rising number of U.S. cases of COVID-19 could overwhelm health care facilities and lack of treatment could send the death toll higher.

[nativounit]

The Russian ransomware group Ryuk reportedly has been discussing the attacks on more than 400 U.S. health care facilities, according to Alex Holden of Milwaukee-based Hold Security, who spotted communications among group members earlier this week.

According to Wednesday’s warning, the Russian group is targeting the U.S. health care sector with Trickbot malware, which creates files in certain Microsoft Windows folders that initiate communication with the hackers’ command and control servers. Once the files are deployed, other malicious scripts are executed to lock the files and generate a ransom demand.

About two weeks ago, Microsoft and other tech partners shut down 62 of Ryuk’s 69 command and control servers. According to a report at Ars Technica, the ransomware group promptly fired up 59 new servers, of which all but one were shut down.

One side-effect of the counterattack against Ryuk was a change to the TrickBot malware that severely challenges security experts’ ability to track the group.

The FBI, CISA and HHS offer little more to potential targets than to patch their software as soon as an update is available and take other routine security precautions like changing passwords more often, using multifactor authentication and disabling remote access ports.

The agencies also recommend that affected health care providers not pay ransoms because “payment does not guarantee files will be recovered” and payments may lead to more attacks in the future.

[recirclink id=803688][wallst_email_signup]

About the Author Paul Ausick →

Paul Ausick has been writing for a673b.bigscoots-temp.com for more than a decade. He has written extensively on investing in the energy, defense, and technology sectors. In a previous life, he wrote technical documentation and managed a marketing communications group in Silicon Valley.

He has a bachelor's degree in English from the University of Chicago and now lives in Montana, where he fishes for trout in the summer and stays inside during the winter.