UHS Hospitals hit by Ryuk ransomware, forced to shut down systems

Universal Health Services (UHS), one of the largest healthcare services provider, has reportedly shut down systems at healthcare facilities around the U.S. after a cyberattack hit its networks.

According to UHS, through its subsidiaries, the company operates 26 Acute Care hospitals, 328 Behavioral Health inpatient facilities, and 42 outpatient facilities and ambulatory care centers in 37 states in the U.S., Washington, D.C., Puerto Rico and the United Kingdom

At the time, UHS has no evidence that patient or employee data was accessed, copied or misused, the company says.

An employee told BleepingComputer that, during the cyberattack, files were being renamed to include the .ryk extension. This extension is used by the Ryuk ransomware, reports BleepingComputer. "Another UHS employee told us that one of the impacted computers' screens changed to display a ransom note reading "Shadow of the Universe," a similar phrase to that appearing at the bottom of Ryuk ransom notes. Based on information shared with BleepingComputer by Advanced Intel's Vitali Kremez, the attack on UHS' system likely started via a phishing attack," BleepingComputer says.

Despite the healthcare sector standing out for its cyber approach (strong internal email protection, user awareness training and web security), it continues to fall victim to attack. In fact, in healthcare-specific research with HIMSS, cybersecurity firm Mimecast found that:

90% of healthcare organizations experienced email borne attacks in the past year, with 25% suffering from very or extremely disruptive attacks.
Attacks that impersonated trusted vendors or partners were the most common cause of disruption (61%), followed by credential harvesting-focused phishing attacks (57%).
Nearly three quarters (72%) of respondents experienced downtime as a result of an attack.
- Productivity was the most common type of loss (55%), followed by data (34%) and financial (17%).

Jeff Horne, CSO, Ordr, says, “Ransomware keeps making headlines as researchers warn of a seven-fold increase compared to last year. One ransomware variant that is particularly concerning is Ryuk, which has been attributed to North Korean and Russian threat actors. Ryuk can be difficult to detect and contain as the initial infection usually happens via spam/phishing and can propagate and infect IoT/IoMT devices, as we’ve seen with UHS hospital phones and radiology machines. Once on an infected host, it can pull passwords out of memory and then laterally moves through open shares, infecting documents, and compromised accounts.”

“Some threat actors are still piggybacking Ryuk behind some other trojans/bots like TrickBot, QakBot, and Emotet, and some of those can use the EternalBlue vulnerability to propagate. EternalBlue propagation has unfortunately been very successful in hospitals with WannaCry by compromising legacy systems running SMBv1 (like WindowsXP), and it’s crucial to be able to detect something like the EternalBlue exploit to discover malicious lateral movement. IoMT security is more critical than ever before, as we’ve recently seen patients die as a result of being held hostage,” adds Horne.

Mohit Tiwari, Co-Founder and CEO at San Francisco, Calif.-based Symmetry Systems, notes that hospitals have a challenging setting. "The shift in mentality that hospital executives must get to is that compute infrastructure in hospitals is key to healthcare, and computing failures are healthcare failures. Further, computing flaws are highly correlated and can spread quickly -- ransomware or a breach of large data stores or compromise of medical equipment on a network. With the right investments, there is new technology that can shift certified workloads into safer virtual machines and put defenses around it, and better identity and authorization methods that prevent small errors from scaling out organization wide,” Tiwari says.

Daniel Norman, Senior Solutions Analyst at the London-based Information Security Forum, notes that the healthcare industry has been under immense pressure during the pandemic. "Staff shortages, lack of medicine, hospital beds and personal protective equipment have pushed the healthcare services to breaking point. In addition to these clear operational concerns, threats from the cyber domain remain apparent, invasive, and in some cases, deadly. Over the coming years, these security threats will continue to accelerate around the world over as far more invasive and automated technology makes its way into the operating room and in some cases, the human body. Attackers will once again turn their attention to disrupting the health service by targeting poorly secured devices and systems, which will now start to have severe ramifications for human life."

"The healthcare services have an outdated approach to security awareness, education and training. With this industry adopting new and emerging technologies, the requirement to educate and train the entire workforce on a range of cyber risks and threats is urgent. In addition, the safety and wellbeing of patients has historical been the top priority, so this mindset needs to translate into the security of systems and devices that will underpin the lives of many. Basic cyber hygiene standards need to be met, covering patching and updates, network segmentation, network monitoring and hardening, especially for technologies such as AI, robotics and IoT devices. Privacy should also be a high priority for anyone handling sensitive information, considering the shift towards storing patient records online," adds Norman. "This is an exciting time for the healthcare industry but it is also dangerous. As technology-based solutions begin to flourish, so will the risks and threats accompanying them.”

Horne has four steps for any organization that has been hacked with ransomware:

Take stock of the situation: the first thing to find out is if the ransomware is propagating through your network and, if it is, you need to stop it by leveraging detection and response (XDR) or incident response tools. After you've done everything possible to isolate and get your machines off the infected network, the next step is to find out what you're dealing with so do a simple search online and see if there’s a decryptor available so you don't have to pay any ransom.
Look outside for help: If you can’t easily find a solution online or recover data from backup solutions, you have to open up a dialogue with the attacker. If your company has internal security expertise and cryptocurrency on hand, then this may be a task you can handle without outside help. If that's not the case, you’ll have to enlist an outside, third-party provider that specializes in resolving ransomware attacks.
Test the codes: If you do have to enlist outside help, there's usually a testing process that decrypts a sample of the network to prove the attacker does have the keys. You now know that they do have what you need to get your data back. But, I want to stress this: don’t try to negotiate. You're dealing with an anonymous party so you have literally no leverage (and there’s no guarantee of recovery).
Decrypt the network: after you’ve tested the keys and paid the ransom, it could take days or even months to decrypt all of your data. That said, paying the ransom doesn't necessarily mean you'll actually get the decryption key or that it will work. Also, keep in mind that if you’re dealing with an older ransomware, you could be throwing money into a bucket no one's monitoring anymore, so they’re not exchanging keys and you have less than a 50% chance of ever getting your data back.

Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile security solutions, notes that this situation highlights how paralyzing any cyber-attack can be - especially for organizations that possess valuable personal data that can be held for ransom. "As some organizations use a hybrid model of on-prem and cloud servers, they need to deploy modern security solutions that protect assets connecting to cloud services, such as smartphones and tablets," says Schless. "Threat actors know that mobile devices aren’t usually secured in the same way as computers, but now have the same level of access to corporate assets. Mobile phishing has become one of the primary ways threat actors get into corporate infrastructure and deliver a malicious payload that kicks off an attack like this. An advanced hacking group like the one behind Ryuk would likely use social engineering to convince a target employee to download a document or file to their device as their means of entering the infrastructure. Phishing attempts that deliver these attacks are getting more difficult to spot, especially on mobile devices where we can’t spot many of the red flags we’re trained to see on computers."

"During this time when more employees are remote and rely more heavily on mobile devices, it's more difficult for organizations to protect against malware delivered through smartphones, tablets, and Chromebooks. Your employees’ mobile devices enable productivity from anywhere. Without proper security, those mobile devices can represent a significant gap in your overall security posture. A message containing malware can be accessed just as easily from a mobile device as it can from a computer. Mobile devices also have access to the corporate infrastructure. You need to treat mobile devices with the same priority as traditional endpoints in your organization’s security posture," Schless adds.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.