Over 400 United States Hospitals Effected by Ransomware

By Edgar Namoca on October 15, 2020

(By: Edgar Namoca on October 15, 2020)


September 28, 2020 United Health Services (UHS) was the victim of a ransomware attack [1].  This attack was initiated at midnight when less technical staff would be available to respond to the incident.  UHS employees from California, Florida, Texas, Arizona, and Washington D.C loss access to computers, phone systems, databases, and the internet [2].  In fear of more computers being compromised by the malware employees were instructed to shut down the computers to prevent further damage [2].  The malware known as Ryuk is behind this cyber-attack [1].


Ryuk is a ransomware that was first discovered in August 2018.  This ransomware is similar to a program called Hermes that was used by the North Korean state-sponsored hacker group Lazarus [2].  Like the Hermes ransomware used by North Korea, it is a ransomware available for purchase on the black market.  This ransomware has caused over four million dollars in damages over the last few years [3].   Ryuk is ran and maintained by a group called Wizard Spider a Russian hacker group also associated with the TrickBot and Emotet banking malware used for credential theft [2].


Ryuk does not appear on computers without Emotet, first compromising the victim computer.  Emotet finds its way onto computers through Phishing emails [4].  The malware is embedded within a Microsoft document attached to the email which is labeled with something to do with payroll or financial information.  This is a common social engineering technique used by adversaries to trick victims into downloading their malware.  This document will contain a macro that a user is required to click to view the information in the document.  Upon clicking this macro, the computer will run a PowerShell script downloading Emotet onto the victim’s computer [5].  After Emotet is downloaded it will download additional toolkits containing other malware such as TrickBot. These toolkits are used for persistence to create backdoors for later use by adversaries.  If the compromised computer is a part of a high-profile organization like UHS, adversaries will download and run Ryuk.  When running Ryuk for the first time it will search for all shadow copies, and backups of the computer [5].  If any backups are found the malware will delete it making it difficult to roll back the system to an uncompromised state.  Once all backups are removed it will then begin to search for physical and attached network storage devices [5].  After finding all the storage devices possible it will then encrypt all documents found on the storage devices with (Rivest-Shamir-Adleman) RSA and AES (Advanced Encryption Standard) encryption.  Once it is done it will leave a Hypertext Markup Language (HTML) document on the desktop of the computer with the ransom note demanding money [2].


The denial of service that was caused by this attack led to the death of four patients waiting for medical test results to perform lifesaving procedures [4].  This attack also caused the need to relocate patients and reroute ambulances to hospitals that were still operating normally.  Additionally, on September 29, 2020, UHS publicly announced that they were victims of the malware and that no personal information was taken or used for malicious intent during the attack [4].


Ryuk is one of many ransomware attacks that use the same foothold method as other successful ransomware attacks.  The underlying issue to the events that happened is due to a lack of employee training.  If audit systems or in-house phishing testing were done on employees, they would be more aware of phishing attempts and less likely to become victims of these scams.  In most of these situations increased employee training could have mitigated these vulnerabilities without the need to invest more money on intrusion prevention systems, or new information security employees.


As of October 12, 2020, it was reported that all sites attacked returned to normal operations.  There are no reports confirming what was asked for in the ransom note or whether the hospitals paid the demand [6].   It was confirmed that all sites were affected by this attack but slowly over time all networks and applications were restored [6].







[6] https://healthitsecurity.com/news/uhs-health-system-confirms-all-us-sites-affected-by-ransomware-attack