Ransomware actors have for years targeted hospitals because locking up a health care organization's digital systems can threaten patient care and create maximum urgency to pay up and recover. More recently, both rate of infections against the industry and the demands themselves have exploded; antivirus firm Emsisoft found that the average ransomware ask has increased from about $5,000 in 2018 to about $200,000 this year, with multimillion dollar demands becoming increasingly common. Last month, the provider Universal Health Services was hit with a Ryuk attack that rippled through its 250 US hospitals and clinics, crippling digital services and impacting facilities around the country.
Even so, the current spree of infections marks an alarming shift in how aggressive financially motivated ransomware groups have become, and how far they're willing to go."This is to me the most significant cyber threat that we’ve experienced in the US to date," says Charles Carmakal, senior vice president and chief technical officer of the cybersecurity firm Mandiant, which is owned by FireEye. "There is a moral line that every person, just as a human being, recognizes exists—when you do something knowing that you are potentially impacting somebody’s life you’ve crossed the line. So there’s a very clear crossing of the line by this threat actor. This group is incredibly brazen, heartless, relentless."
The attacks may not match the devastation of the Russian government's critical infrastructure attacks in Ukraine, but they have hobbled victim hospitals around the country, including in California, Oregon, and New York. In many cases, victims have had to reschedule appointments, delay procedures, or refer patients to other facilities to receive timely care.The US government alert lays out recommendations and best practices for how hospitals can protect themselves, and private firms like Mandiant have been sharing "indicators of comprise" as well, so health care facilities can monitor their systems extra closely and try to head off potential attacks. One major concern is that hundreds of organizations may have already been compromised by attackers, and that ransomware or the means to deploy it is lurking until the hackers decide to trigger it.
New infections could continue as well. Experienced, well-resourced ransomware groups like UNC 1878 can move quickly to deploy ransomware once they compromise a target if they choose to, but there is still generally a window to catch and prevent an attack. And organizations can also be prepared to quickly remediate a successful ransomware attack and get their systems back online through safeguards like backups and tools specially developed to recover from Ryuk. Some firms, like Emsisoft, are offering their services for free right now to health care organizations.
"I have two US customers in the health care industry and it appears they were compromised by a shared administrative interface that was used to deploy malware into these environments," says Greg Linares, a researcher at the security firm CyberPoint. "Right now we're working with the teams to minimize this story. That means we got rid of the malware before it deployed versus the story in a week or so that could say 100-plus hospitals got hit by ransomware."