by John R. Fischer
, Senior Reporter | October 30, 2020
The Cybersecurity and Infrastructure Security Agency (CISA), FBI and the U.S. Department of Homeland Security warned this week of an “imminent cybercrime threat to U.S. hospitals and healthcare providers.”
The crime in question involves a form of ransomware that a Russian cybercriminal gang known as UNC1878 plans to deploy in order to steal data from and disrupt the information technology systems of hundreds of hospitals, clinics and medical care facilities around the U.S., according to the agencies
, which say the alert is based on “credible information” they received.
“CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats,” said CISA in an alert issued this week.
Independent security experts assert the attack has already hit at least five U.S. hospitals this week and could potentially impact hundreds more, reported the Associated Press
The ransomware is called Ryuk and converts data into non-legible information that can only be accessed with software keys that are provided once the ransom has been paid. It is spread through a network of zombie computers called Trickbot, which both Microsoft and U.S. Cyber Command have reportedly tried to counter through legal processes, according to Reuters.
Alex Holden, founder of cybersecurity firm Hold Security, has been tracking Ryuk for almost a year and was monitoring for infection attempts at hospitals Friday, when he came across correspondence among cybercriminals associated with UNC1878. The criminals were discussing plans to deploy Ryuk at more than 400 healthcare facilities in the U.S. He alerted federal law enforcement that day, saying the group was demanding ransom above $10 million per target.
“One of the comments from the bad guys is that they are expecting to cause panic and, no, they are not hitting election systems,” Holden told the AP. “They are hitting where it hurts even more and they know it.”
He adds that he does not doubt that the Russian government is aware of the operation, though no suspected ties have been found between it and the gang.
Charles Carmakal, chief technical officer of the cybersecurity firm Mandiant, identified the group as UNC1878 and says it is “one of most brazen, heartless, and disruptive threat actors I’ve observed over my career.”