Universal Health Services (UHS) has suffered a ransomware attack that has taken IT systems out of action across its nationwide network of hospitals. UHS is a Fortune 500 healthcare provider and one of the largest providers of hospital and healthcare services in the United States. UHS has around 400 hospitals and healthcare facilities throughout the United States, Puerto Rico and the UK and had annual revenues of $11.37 billion in 2019.
The cyberattack occurred in the early hours of Sunday 27 September 2020. Computer systems started shutting down across many UHS locations in the United States, and many employees from UHS facilities across the United States took to Reddit to confirm they had been affected by the attack.
On Monday, UHS issued a statement confirming a security breach had occurred. “The IT Network across Universal Health Services (UHS) facilities is currently offline, due to an IT security issue. We implement extensive IT security protocols and are working diligently with our IT security partners to restore IT operations as quickly as possible. In the meantime, our facilities are using their established back-up processes including offline documentation methods. Patient care continues to be delivered safely and effectively.”
In an interview, UHS President Marc Miller confirmed on Monday that computer systems had been shut down to contain the attack. Miller confirmed that malware was involved but did not specify the type of malware involved or whether ransomware was involved. However, several employees posted on Reddit confirming this was in fact a ransomware attack, with some determining Ryuk ransomware was used. Several posters said files were being renamed and had the .ryk extension added. A ransom note was also seen by several employees that contained the text “Shadow of the Universe” which is used on Ryuk ransom notes.
Employees confirmed that they had been instructed to turn off their computers and not turn them on again until the attack was mitigated. They were told it would likely be days before IT systems were brought back online.
While systems are down, employees have switched to pen and paper and medical services continue to be provided to patients, although ambulances have been diverted to nearly hospitals and patients due to have surgery have been relocated to other healthcare facilities.
The operators of Ryuk ransomware are known to exfiltrate data prior to deploying ransomware, but UHS said in a statement that “No patient or employee data appears to have been accessed, copied or otherwise compromised.”
During the COVID-19 pandemic, several ransomware operators publicly stated that they either do not target healthcare providers or would refrain from doing so during the pandemic, but the operators of Ryuk ransomware made no such concessions and continued to attack healthcare providers.
The cybercriminals behind Ryuk ransomware are believed to operate out of Russia, with some cybersecurity firms linking the attacks to two or more cybercriminal organizations in Russia and former Russian states. CrowdStrike has attributed the attacks to a Russian hacking group called Grim Spider, which is part of a larger cybercriminal organization known as Wizard Spider. Wizard Spider is known for operating the TrickBot Trojan, which is often used to deliver Ryuk ransomware. TrickBot is mostly delivered through spam email or is installed by the Emotet Trojan, which itself is primarily delivered via phishing emails.
Ryuk ransomware attacks are often on large organizations with the means to pay large ransom demands and many have chosen to do so to recover their data. The hackers are believed to have raked in many millions of dollars in ransom payments over the past two years.