(Reuters) – Eastern European criminals are targeting dozens of U.S. hospitals with ransomware, and federal officials on Wednesday urged health care providers to step up preparations if they are next.
The FBI is investigating the latest attacks, which include incidents in Oregon, California and New York that were published just this week, according to three cyber security consultants familiar with the matter.
A doctor at a hospital told Reuters that the facility was operating on paper after an attack and could not transfer patients because the nearest option was an hour away. The doctor refused to be appointed because the staff did not have the authority to speak to reporters.
"We can still look at vital images and get images done, but all results are communicated only through paper," said the doctor. The staff could see historical records but did not update these files.
Experts said that the probable group behind the attacks was known as the Wizard Spider or UNC in 1
The attack led to a conference call on Wednesday led by FBI and Homeland Security officials for hospital administrators and cybersecurity experts.
A participant told Reuters that government authorities warned hospitals to ensure their backup systems were in order, disconnect systems from the Internet where possible, and avoid using personal email accounts.
The FBI did not immediately respond to a request for comment.
"This seems to have been a coordinated attack aimed at disrupting hospitals specifically across the country," says Allan Liska. , a threat information analyst with the US cybersecurity company Recorded Future.
“While multiple ransomware attacks on caregivers each week have been common, this is the first time we have seen six hospitals targeted on the same day by the same ransomware actor.
In the past, ransomware infections at hospitals have reduced databases of patient records, which critically store up-to-date medical information that affects hospitals' ability to provide health care.
Ransomware attacks have jumped 50% in the past three months, security firm Check Point said Wednesday, with the proportion of surveyed healthcare organizations affecting jumps to 4% in the third quarter from 2.3% in the previous quarter.
Two of the three consultants familiar with the attacks said that cybercriminals often used a type of ransomware called "Ryuk", which locks a victim's computer until a payment is received.
The participant in the conference call said that government officials revealed that the attackers used Ryuk and another Trojan, known as Trickbot, against the hospitals.
"UNC1878 is one of the most cheeky, heartless, and disruptive actors I have observed in my career," said Charles Carmakal, senior vice president of US cyber-incident company Mandiant.
"Several hospitals have already been significantly affected by Ryuk's ransomware and their networks have been taken offline."
Experts say the deployment of Trickbot is significant following Microsoft's efforts to disrupt the hacking network earlier this month.
The initiative was designed to handicap cybercriminals, but they seem to have recovered quickly, says Stefan Tanase, an cybercrime analyst.
"What we see here is a confirmation that the reports of the removal of Trickbot were greatly exaggerated," he said.
Microsoft did not respond to a request for comment. Catalog