Late yesterday the Cybersecurity & Infrastructure Security Agency (CISA), which is part of the U.S. Department of Homeland Security (DHS), issued a ransomware activity targeting alert for the healthcare industry. These attacks are a major problem for hospitals, doctors’ offices, and other medical and healthcare providers and facilities at the best of times, as they lock providers out of their systems in an attempt to extort money in order to unlock the system.

According to DHS, the threat is coming from Russian hackers. While such ransomware activity is becoming more common, what is different than normal is that it is aimed at a specific industry category — healthcare, hospitals, and the public health sector.  During a pandemic, such attacks move from major problems to existential threats.
“We expect panic,” one hacker involved in the attacks said in Russian during a private exchange on Monday that was captured by Hold Security, a security company that tracks online criminals.

Some hospitals in New York State and on the West Coast reported cyber attacks in recent days, though it was not clear whether they were part of the attacks, and hospital officials emphasized that critical patient care was not affected.

The Russian hackers are believed to be based in Moscow and St. Petersburg. Hold Security uncovered evidence that they have been trading a list of more than 400 hospitals they plan to target. Alex Holden, the founder of Hold Security, shared the information with the F.B.I. . He said the hackers claimed to have already infected more than 30  healthcare organizations.

Alert (AA20-302A)

Ransomware Activity Targeting the Healthcare and Public Health Sector

Summary

This joint cybersecurity advisory was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS). This advisory describes the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health Sector (HPH) to infect systems with Ryuk ransomware for financial gain.

CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers. CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.