Oct 29 2020

What Hospitals Should Know About the Ryuk Ransomware Threat

An onslaught of cyberattacks targeting healthcare data is coming, federal officials warn. Providers are urged to step up their defenses.

U.S. government agencies have warned hospitals to brace for an “increased and imminent” wave of ransomware cyberattacks that could compromise patient care and expose personal information.

A joint warning issued Wednesday by the FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services urges providers to guard themselves against these attacks, which involve threat actors deploying malware to obtain a victim’s data and hold it hostage for a payment.

The agencies state that the Russian botnet Trickbot is likely using Ryuk, a highly infectious ransomware that encrypts network files and disables Microsoft Windows System Restore. That means stolen data can’t be recovered without external backups, a Microsoft executive confirmed to CNN.

Recent attacks on hospitals in California, New York and Oregon are believed to be part of the campaign, which comes just weeks after a massive Ryuk ransomware attack hit a U.S. system with 250 care sites that scrambled to redirect ambulances and surgical patients in the aftermath.

READ MORE: 5 Ways to Defend Your Medical Practice Against Ransomware

Ransomware criminals can demand millions of dollars from unsuspecting victims, and the amounts are substantially higher than previous attacks on healthcare providers, a security analyst told The New York Times. Added costs of downtime, breach remediation and lost revenue will follow.

But ransomware’s consequences are far more than financial. A doctor at one affected target anonymously told Reuters that their hospital now cannot use some critical technologies, transfer sick patients or update electronic health records as officials deal with the situation.

“We can still watch vitals and getting imaging done, but all results are being communicated via paper only,” the doctor said.

Why Ransomware Attacks Are Increasing Now

Even before the pandemic, ransomware was a big problem. From 2017 to 2019, half of all ransomware attacks occurred in the healthcare sector, according to Bryan Ware, CISA’s assistant director for cybersecurity.

There’s a simple reason why.

“When lives are on the line and timing is critical, from the perspective of a malicious criminal actor, that’s someone who’s more likely to pay the ransom,” Ware told HealthTech in an interview earlier this month. Sites involved with COVID-19 vaccine research are a key target for ransomware threat actors, he added.

Hackers haven’t pulled back amid an ongoing global pandemic, panelists noted in two recent webinars hosted by the Healthcare Information and Management Systems Society. In fact, criminals are turning up their efforts and even targeting specialties and facilities that historically have fewer security defenses and less training.

“Attacks that tug at your emotions tend to be the most impactful and favored by cybercriminals,” Ryan Witt, managing director of the healthcare industry practice at Proofpoint, told one webinar audience.

These exchanges, he said, may include imposter emails from the World Health Organization, fake purchase orders for personal protective equipment, or bogus notices about a “vaccine ID” from the Centers for Disease Control and Prevention.

How to Prevent Ransomware Attacks in Healthcare

Federal officials didn’t offer specifics about how the latest ransomware attacks were conducted, but they have been amplifying a message of vigilance.

In September, CISA and the Multi-State Information Sharing & Analysis Center jointly released a ransomware guide that details best practices to help manage the risk posed by ransomware and other cyberthreats.

READ MORE: 4 Ways to Prevent Phishing Attacks in Healthcare

The latest advisory offers more guidance for IT teams, including:

Stay current with all operating systems, software, firmware and patching updates; set anti-virus and anti-malware solutions to update automatically.

Protect sensitive data with network segmentation so critical information doesn’t reside on the same server and network segment as the email environment.

Use strong passwords with strategic word combinations that aren’t repeated within different accounts or systems.

Perform regular backups and implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location.

Restrict improper use by implementing application and remote access to only allow systems to execute programs known and permitted by the established security policy.

Provide cybersecurity education for all employees that includes training on ransomware, and explain how workers can report a suspected breach to speed an effective response.

Quardia/Getty Images