A recent wave of ransomware attacks has infected more hospitals than previously known, including a University of Vermont network with locations in New York and Vermont.
The University of Vermont Health Network is analyzing what appears to be a ransomware attack from the same cybercrime gang that has infected at least three other hospitals in recent weeks, according to two sources familiar with the investigation who weren’t authorized to comment about it before it is complete.
Several federal agencies warned Wednesday of “an increased and imminent cybercrime threat” to the country’s health care providers, particularly from a gang that uses a strand of ransomware called Ryuk. The U.S. has repeatedly hit record highs for daily confirmed coronavirus infections.
The FBI and the Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security, sent an updated alert Thursday night with new technical information, adding that they have “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.”
As many as 20 medical facilities have been hit by the recent wave of ransomware, said a person with knowledge of the matter, who spoke on the condition of anonymity because they weren’t authorized to speak publicly. The figure includes multiple facilities within the same hospital chain.
Three other hospital chains have recently confirmed cyberattacks, believed to be ransomware, by the same gang: the Sky Lakes Medical Center, with 21 locations in Oregon; Dickinson County Healthcare System in Michigan and Wisconsin; and the St. Lawrence Health System in northern New York. It was not clear how much of their systems or how many locations had been hit by the ransomware.
Tom Hottman, a spokesperson for Sky Lakes Medical Center, confirmed that the company had been infected with Ryuk and said its computers were inaccessible, halting radiation treatments for cancer patients.
“We’re still able to meet the care needs for most patients using work-around procedures, i.e. paper rather than computerized records. It’s slower but seems to work,” he said in an email.
Joe Rizzo, a spokesperson for Dickinson, said in an email that their hospitals and clinics are using paper copies for some services because computer systems are down.
Rich Azzopardi, senior adviser to New York Gov. Andrew Cuomo, said the state’s Division of Homeland Security and Emergency Services and other groups had been in communication about the St. Lawrence attack.
Details about a major wave of ransomware attacks on U.S. hospitals began to emerge at the end of September when computer systems for Universal Health Services, one of the biggest hospital chains in the country, were hit, forcing some doctors and nurses to use pen and paper to file patient information. Jane Crawford, the chain’s director of public relations, said in an email at the beginning of October that no one had died because of the attack.
Ransomware attacks often gain access to secure systems and then encrypt files. The people behind the attacks then demand money to decrypt the files.
Ryuk is transmitted through one of the cybercrime world’s largest and most notorious botnets — an aligned army of compromised computers — referred to in cybersecurity circles as Trickbot. Both Microsoft and reportedly U.S. Cyber Command have independently undertaken efforts recently to disrupt Trickbot, apparently without enough success to prevent this wave of hospital infections.
Brett Callow, an analyst for the cybersecurity company Emsisoft, said that the true extent of the attacks has yet to be uncovered and that local reports about hospitals indicated that several more had been hit.
Ransomware attacks have been a consistent threat to American industry and local governments for several years, but attacks on the country’s health care systems have risen this year, said Allan Liska, an analyst at the cybersecurity firm Recorded Future, who monitors known infections.
“We’ve tracked 62 reported healthcare ransomware infections this year. Compared to 50 all of last year,” Liska said in a text message.
“Keep in mind that unless an incident becomes public, there is a couple-of-month lag between the incident and reporting. So the real number is much higher,” Liska said.
A Department of Health and Human Services security memo produced for health care providers this year, which was reviewed by NBC News, shows that private security companies and the U.S. government attribute Ryuk ransomware to Russian cybercriminal groups.
The private security firm CrowdStrike assessed with “medium confidence” that Russian threat actors use Ryuk, and the cybersecurity company FireEye said the “most likely hypothesis” is that Ryuk operators are Russian cybercriminals, according to the memo. As NBC News has previously reported, Russian cybercriminal groups sometimes work with the Russian government, but in other instances they can work on their own.