Healthcare Service Provider struck by Ryuk

Another Fortune 500 company is added to ransomware’s victim list. For many researchers, the scourge of ransomware is becoming the number one problem faced by large organizations, and when major organizations like Canon and Konica Minolta it is hard to argue with this sentiment. Now Universal Health Services (UHS), currently ranked 293 on the Fortune 500 listing of companies, can be added to the victim’s list.

According to both Bleeping Computer and Digital Guardian facilities across the US had to shut down services on Sunday, September 27, 2020, in response to a cyberattack. The company has over 400 healthcare facilities in the US and the UK has more than 90,000 employees and provides healthcare services to approximately 3.5 million patients each year. The company generated over 11 billion USD in income for 2019 making it a tasty target for well-organized ransomware gangs.

Much of the information regarding the incident has been posted on Reddit by company employees.

uhs infected by ryuk ransomware

The company did make an announcement of the incident on Monday 28 September, the terse message read as follows,

“Monday, September 28, 2020, 10:45 am ET — The IT Network across Universal Health Services (UHS) facilities is currently offline, due to an IT security issue.
We implement extensive IT security protocols and are working diligently with our IT security partners to restore IT operations as quickly as possible. In the meantime, our facilities are using their established back-up processes including offline documentation methods. Patient care continues to be delivered safely and effectively.
No patient or employee data appears to have been accessed, copied or misused.”

Another announcement was made the following day with much the same information as before, however, a paragraph relating to patient care and current operational capabilities was included. It read,

“In the meantime, while this matter may result in temporary disruptions to certain aspects of our clinical and financial operations, our acute care and behavioral health facilities are utilizing their established back-up processes including offline documentation methods. Patient care continues to be delivered safely and effectively.”

According to the reports that emerged on Reddit hospitals in California, Florida, Texas, Arizona, and Washington D.C. were left without access to computer and phone systems as a result of the incident. Posts also stated the following in terms of the extent of the shutdown, “We have no access to anything computer based including old labs, ekg's, or radiology studies. We have no access to our PACS radiology system.” No mention of hospitals in the UK being affected has emerged and it seems as if only the US company networks have been affected, seemingly across the entire US. Further, patients needing surgery are being relocated to other hospitals to receive the care they need.

This in itself is problematic, as a separate incident in Germany proved when a patient had to be diverted to another hospital and subsequently died as a result. The reason for being diverted is that the hospital suffered a ransomware incident and was unable to accept the patient. This has gone done as ransomware’s first death. It has been asked by researchers and other cybersecurity experts that ransomware gangs avoid infecting hospitals due to the potential for loss of life. That potential has been proven and yet the plea appears to be ignored.

Ryuk the Culprit

In both, the statements made by UHS no mention was made as to the ransomware deployed. Based on statements made by employees on Reddit, some clues as to the offending piece of malware can piece together an identity. It can be safely assumed that the malware deployed by the attacker is indeed ransomware as it was launched late at night to avoid detection, then encrypting as many devices as possible followed by system administrators shutting down systems to prevent further encryption. The silver bullet from a smoking gun comes from an employee speaking anonymously to Bleeping Computer, who said that the files encrypted by the ransomware added the extension .ryk, a clear indicator of a Ryuk infection.

Another employee told the same publication that they had seen the ransom note and that it had the phrase “Shadow of the Universe” in it, which again is consistent with ransom notes dropped by the ransomware. Vitali Kremez is of the informed opinion that the attack began with a phishing attack. Kremez had previously spotted both the Emotet and TrickBot infecting UHS networks. This is in line with tactics employed and an apparent partnership between the different malware gangs. Initially, Emotet will gain a foothold on a corporate network via a phishing campaign loaded with a malicious document passing itself off as an invoice for example. Emotet will drop TrickBot who in turn opens a reverse shell so that Ryuk can be installed. Once the Ryuk operators manually get access to the network they start with reconnaissance and, after gaining admin credentials, they deploy ransomware payloads on network devices using PSExec or PowerShell Empire.

While NHS has publicly stated that no patient or employee data was accessed during the attack, the Ryuk gang is known for stealing and releasing data stolen during an attack. This is done to make victims pay on time, if no payment is received then the gang will release the data. While it is hoped that no patient or employee data was stolen given the gang's recent past this is a distinct possibility.

The Scourge of the Internet

Ransomware has been described as the scourge of the Internet. Ciaran Martin, former head of the UK’s of the National Cyber Security Centre (NCSC) further elaborated on the issue in a speech saying,

“Right up until my final hours at NCSC last month, I remained of the view that the most likely cause of a major incident was a ransomware attack on an important service…For the attacker, the choice of the service would be incidental. They were just after money. But from the point of view of national harm, that incidental choice of victim could be important. What most kept me awake at night was the prospect of physical harm inadvertently resulting from ransomware. Criminal ransomware used recklessly by amoral criminals is one of the biggest but least discussed scourges of the modern internet.”

How then can the InfoSec community combat this scourge? According to Martin,

“…a serious examination of whether we should change the law to make it illegal for organisations in the UK to pay ransoms in the case of ransomware”

Making it illegal for organizations to pay the ransom may seem extreme and punishing the victim. There is certainly a case to be made for this argument. However, the argument for making the payment of the ransom illegal has valid points. The act of paying the ransom allows the attacker to then target another victim. If no one paid there would be no motivation for ransomware operators to continue operations. Paying the ransom may in the short term alleviate the victim’s short-term problems but is essentially kicking the can down the road for someone else, or for the victim to be targeted by another ransomware gang as the victim has paid in the past.

As it stands in the UK as well as several other states, for the most part, a victim cannot be prosecuted for paying a ransom, unless it can be proven that paying the ransom funded terrorism. However, the problem of ransomware has seemingly turned into a goldrush for cybercriminals. It is believed that as many as half of organizations pay up when hit with ransomware, which has made data-encrypting malware a major source of revenue for sophisticated criminal gangs. Some ransomware operators have raked in tens of millions in ransom. Often the ransom is paid in Bitcoin, this has further resulted in a blossoming crypto-laundering industry to make it harder to trace an already hard to trace currency.

Another threat that perpetuates the ransomware cycle is the view that a ransomware infection and subsequent payment is part of the cost of doing businesses. This view is problematic for a couple of reasons. Firstly, it prevents business leaders from investing in important and necessary security measures or employee education which can be costly. Secondly, it further reinforces the belief that you must pay the ransom to return to normal business operations. By making it illegal to pay the ransom companies would need to invest in robust security measures and employee education.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk logo

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal