The hacking group that created Ryuk ransomware – thought to be an eastern European hacking group known as Wizard Spider – has increased attacks targeting hospitals and health systems in the United States. This week a range of attacks on hospitals from the Californian coast to the eastern seaboard has taken place, with 6 Ryuk ransomware attacks on hospitals reported in just one day.

Ryuk ransomware can inflict widespread file encryption across complete networks, disabling systems and stopping medics from accessing patient data. Even when the attacks are removed quickly, systems must be disable to stop the spread of the ransomware. While hospitals have disaster protocols for exactly this kind of incident and patient data can be recorded using pen and paper, the disruption caused is massive. Non-essential procedures and appointments often need to be cancelled and, in some cases, hospitals have been forced to divert patients to alternative medical centers.

It is not known if any ransomware attacks on U.S. hospitals have lead to deaths, but there was recently a death in an attack in Germany, where a patient was sent to a different hospital and died before lifesaving treatment could be carried out. Had the ransomware attack not taken place, treatment could have been provided in time to save the patient’s life. The attacks in the United States also have the potential to lead to a fatality, especially in such as large-scale, coordinated campaign.

Recently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Department of Health and Human Services (HHS) released an advisory after credible evidence emerged indicating Ryuk ransomware attacks on U.S. hospitals and healthcare providers were about to surge upwards.

It remains unknown the attacks have spiked now and the specific motives for the current campaign, but recently Microsoft and U.S. Cyber Command, in conjunction with several cybersecurity companies, disrupted the TrickBot botnet – a group of devices infected with the TrickBot Trojan. The TrickBot Trojan is operated by another cybercriminal group to Ryuk, but it was widely used to share Ryuk ransomware. The botnet is back up and operational, with the threat actors changing to a different infrastructure, but there have been suggestions that this could be a response to the takedown.

The Ryuk ransomware attacks on hospitals come at a time when healthcare suppliers are fighting the coronavirus pandemic. In the United States the number of new cases is higher than at any time since the beginning of the pandemic. Hospitals cannot find themselves in a position where systems are taken out of action and patient care disrupted. The timing of the attacks is such that hospitals may feel there is little option other than paying the ransom to ensure that disruption remains minimal. Ransomware gangs planned in order to cause maximum disruption.

Ryuk ransomware attacks on hospitals have been increasing over time in the United States prior to the latest surge. Figures published by Check Point Research in recent days show ransomware attacks on hospitals grew by 71% from September, with healthcare the most targeted industry sector, not only in October, but also Q3, 2020. Ryuk ransomware attacks account for 75% of all ransomware attacks on hospitals in the United States.

There is some worry that the most recent attacks will be just the tip of the iceberg. Some security experts suggest the gang is looking to attack hundreds of hospitals and health groups in the United States in this campaign. Every attack on a health system could see many hospitals impacted. The attack this week on the University of Vermont Health Network infiltrated seven hospitals.

Securing against ransomware attacks can be a challenge, a number of different methods are used to obtain access to healthcare networks. Ryuk ransomware is commonly sent by the TrickBot Trojan, which is delivered as a secondary payload by the Emotet Trojan. The Buer loader and BazarLoader are also being used to share Ryuk ransomware. These malware installers are sent using via phishing emails so a good spam filter is therefore vital.

Staff should be made aware of the heightened threat of attack and advised to exercise extra caution with emails. Software updates need to be run quickly promptly and all systems kept fully patched and up to date. Default passwords should be amended, and complex passwords created, with multi-factor authentication implemented where possible. If it is not a requirement for systems to be connected to the Internet, they should be disconnected, and RDP should be turned off.

It is also crucial for ongoing backups of critical data to be made and for those backups to be stored safely on non-networked devices to ensure that in the event of an attack hospitals have the option to recover their data without having to meet the ransom demand.

More details on indicators of compromise and other mitigations can be seen here.