Health sector mobilizes defenses following Ryuk ransomware warning

Threat briefings are being held for hospital executives, federal officials are appealing for more data and hospitals are hardening their computer networks.
(Getty Images).

A day after U.S. federal agencies warned of an “imminent” ransomware threat to hospitals, it’s an all-hands-on deck mentality for a health sector already strained by the coronavirus pandemic.

Private threat briefings are being held for hospital executives, federal officials are appealing for more data on the cybercriminals and hospitals are hardening their computer networks.

The defensive measures follow an advisory Wednesday from the FBI and departments of Homeland Security and Health and Human Services that cybercriminals were deploying Ryuk ransomware to disrupt IT networks and extort hospitals. It was a stark warning, even for a health care sector accustomed to pandemic-era cyberattacks: Medical organizations are being singled out by capable crooks.

While the federal agencies did not name victim organizations, the announcement coincided with suspected ransomware attacks this week on hospitals in New York, Oregon and Vermont, and perhaps other states.


The American Hospital Association, which includes 5,000 health care organizations, is in close touch with government agencies in an effort to disseminate threat data to hospitals across the country, said John Riggi, the association’s senior adviser for cybersecurity and risk.

Riggi, a former senior FBI official, urged health care providers to back up their data and expedite patching of technology accessible via the internet. “Hospitals should also be prepared to re-route patients to hospitals outside their area if there is a simultaneous regional outage of multiple-hospital IT systems,” he said.

The public-private coordination includes phone briefings that the FBI, DHS and HHS officials held for health care organizations on Wednesday and Thursday. The federal officials encouraged health care executives to share as much technical data about the attacks as possible, and indicated that the search for victims of the ransomware campaign was ongoing.

Mitch Parker, executive director of information security and compliance at Indiana University Health, said that security experts were hunting for potential ransomware infections at various health care organizations.

“Health care organizations need to make decisions relevant to what services they use that are potentially exposed, putting their networks at risk,” Parker said.


There have been no reports of the ransomware attacks affecting patient safety.

Analysts at FireEye put a name to the criminal gang behind the attacks: UNC1878. The cyber-crooks are based in Eastern Europe, according to FireEye, and have been known to demand tens of millions of dollars in ransom. They are “one of most brazen, heartless and disruptive threat actors I’ve observed over my career,” said Charles Carmakal, a senior vice president at Mandiant, FireEye’s incident response arm.

“We are actively trying to notify health care organizations that are compromised by ransomware operators,” Carmakal said, “in an effort to help them eradicate the threat actor before ransomware is deployed.”

The criminal group is swift in deploying ransomware once inside organizations’ networks, and they have accounted for a large chunk of Ryuk-related intrusion attempts known to FireEye this year.

“This really speaks to the scale of their operation; they’re hustling,” FireEye researcher Van Ta said Wednesday on a webinar hosted by the SANS Institute.


Leading Republicans on the House Energy and Commerce Committee urged the Trump administration to go after the hackers for what they did.

“To attack hospitals, especially during the COVID pandemic, and threaten the health and safety of vulnerable Americans is heartless and cruel. These attackers should suffer the full fury of American capability,” said Oregon Rep. Greg Walden, the top GOP member of the full committee; Washington Rep. Cathy McMorris Rodgers, ranking minority member of the Consumer Protection and Commerce Subcommittee; Kentucky’s Brett Guthrie, top Republican on the Oversight and Investigations Subcommittee; and Texas rep. Michael Burgess, the ranking minority member of the Health Subcommittee.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts