Ryuk attack downs private health provider in major incident

Universal Health Services, a major supplier of private healthcare services in the US and mental health services in the UK, has been floored by a ransomware attack that left systems offline and inoperable across its IT estate.

The 90,000-strong organisation, which treats millions of patients every year and makes revenues of over $10bn, said the downtime was due to an IT security issue, but reports swiftly emerged from inside UHS that strongly suggest it has been hit by Ryuk ransomware – as initially reported by Bleeping Computer.

Others claiming to be UHS employees took to Reddit to describe systems across the organisation being downed in rapid succession in the small hours of the morning of Sunday 27 September. In the light of an ongoing investigation in Germany into a death that occurred during a ransomware attack on a hospital, many speculated that patients’ lives were being put at risk.

A UHS spokesperson said: “We implement extensive IT security protocols and are working diligently with our IT security partners to restore IT operations as quickly as possible.

“In the meantime, our facilities are using their established back-up processes, including offline documentation methods. Patient care continues to be delivered safely and effectively. No patient or employee data appears to have been accessed, copied or misused.”

Named after a fictional Shinigami – a folkloric spirit associated with death in Japanese culture – that appears in the Death Note manga and anime series, Ryuk is owned and operated by a Russia-based group that targets mainly enterprise environments in so-called big game hunting attacks.

Such attacks are not easy to pull off because they must be extensively researched and customised, requiring a greater level of involvement from the cyber criminal operators.

Generally they begin with phishing attacks – in Ryuk’s case, the phishing campaign often involves piggybacking on the Emotet and TrickBot banking trojans first – that gather credentials and drop malware inside the victim’s network, enabling the group to identify assets to target with Ryuk.

If it does indeed involve Ryuk, the UHS cyber attack is likely to be the culmination of a lengthy process, and those responsible will have been inside its systems for some time.

Jeff Horne, CSO at IoT security specialist Ordr, said: “Ryuk can be difficult to detect and contain as the initial infection usually happens via spam or phishing and can propagate and infect IoT/IoMT devices, as we’ve seen with UHS hospital phones and radiology machines. It can pull passwords out of memory and then laterally moves through open shares, infecting documents and compromised accounts.

“Some threat actors are still piggybacking Ryuk behind some other trojans or bots, and some of those can use the EternalBlue vulnerability to propagate. EternalBlue propagation has unfortunately been very successful in hospitals with WannaCry by compromising legacy systems running SMBv1 (like Windows XP), and it’s crucial to be able to detect something like the EternalBlue exploit to discover malicious lateral movement.”

Comparitech cyber security specialist Brian Higgins said the attack was clearly well planned and targeted, and both the timing and sophisticated nature of the breach suggested a highly organised criminal operation.

“UHS are clearly doing everything they can to defend their networks and clients as the attack plays out,” he said. “Thankfully, they appear to have learned from other recent attacks on healthcare service providers and have enacted a comprehensive incident response plan to protect their company and its digital assets.

“Unfortunately, that clearly involves the shutdown of vital systems and the use of ‘offline documentation methods’, which will clearly cause some service impact. They also outsource their patients’ electronic health records which should provide air-gapped protection of that data and, therefore, some consolation for their clients at this worrying time.”

Higgins warned that UHS clients should be particularly vigilant at this point, because they are likely to be targeted with further phishing campaigns designed to harvest more valuable data. “It is vital that patients do not respond to unsolicited requests to provide security or logon details, reset passwords or share any other data until UHS have the situation under control,” he said.

“Part of the UHS response plan will be to deal with patient communication and it will be very clear when those plans take effect. Until then, any and all unsolicited requests should be passed to the authorities and ignored, however difficult that may be. Any engagement or response at this time will simply compound the problem.”