The FBI investigates recent ransomware attacks on U.S. hospitals

Thursday, October 29, 2020, 5:51 GMT

Criminals in Eastern Europe are using ransomware to hack hundreds of US hospitals, according to Reuters. On Wednesday, federal officials advised medical institutions to speed up planning immediately to protect them from being the next targets. The FBI is reviewing recent threats, including the cases in Oregon, California , and New York that were made public only this week, according to three cybersecurity consultants familiar with the matter.

The group behind these attacks, analysts claim, is called “Wizard Spider” or UNC 1878. They warned that such an intrusion would hinder the hospital’s service and risk the loss of life. These attacks forced officials from the FBI and Homeland Security to hold a conference call on Wednesday for hospital management and cybersecurity specialists.

A participant told a Reuters reporter that hospitals were warned by government officials to ensure that their backup systems are normal, isolate the systems as far as possible from the Internet, and prevent the use of personal email accounts. The FBI did not respond to a request for comment immediately.

Allan Liska, a threat intelligence analyst at the US cybersecurity firm Reported Future, said, “This appears to be a concerted attack intended to directly affect hospitals across the United States.”

“Although many ransomware attacks are popular every week against medical service providers, on the same day, this is the first time we’ve seen the same ransomware attacker target six hospitals.”

Ransomware viruses have paralyzed patient record keeping databases in hospitals in the past, and critically hold the current medical records, affecting the medical care capability of the facility. Two of the three consultants associated with the attack said that cybercriminals often use “Ryuk” form of ransomware, which locks the device of the victim before payment is made.

The participant in the conference call said that government officials announced that Ryuk and another Trojan named Trickbot were used by the attackers to deal with hospitals.

Charles Carmakal, senior vice president of Mandiant, a US cyber incident response firm, said, “UNC1878 is one of the most shameless, ruthless, and disruptive risk actors I’ve seen in my career.” “The Ryuk ransomware has infected many hospitals greatly, and their networks have been shut down.”

Experts agree that after the attempts of Microsoft to interrupt hacker networks earlier this month, the deployment of Trickbot is important.

Stefan Tanase, a cybercrime expert, said that this move is aimed at undermining cyber criminals’ capabilities, but they seem to have recovered fast. “What we are seeing here is that it was massively misunderstood by the news confirming the Trickbot was vanquished.”

A request for comment was not replied by Microsoft.