UHS Restores Hospital Systems After Ryuk Ransomware Attack

Universal Health Services (UHS), a Fortune 500 hospital and healthcare services provider, says that it has managed to restore systems after a September Ryuk ransomware attack.

UHS has over 90,000 employees who provide healthcare services to roughly 3.5 million patients every year through a network of more than 400 healthcare facilities in the US and the UK.

UHS hospitals returning to normal operations

The ransomware attack the healthcare provide refers to as a “security incident” took place during the early hours of Sunday, September 27, and it forced UHS employees to shut down all systems to block the malware from spreading to unaffected network systems.

“As a result of this cyberattack, we suspended user access to our information technology applications related to operations located in the United States,” UHS says in the company’s 2020 Q3 Financial Results report and an 8K filing with the U.S. Securities and Exchange Commission (SEC).

“While our information technology applications were offline, patient care was delivered safely and effectively at our facilities across the country utilizing established back-up processes, including offline documentation methods.”

Also Read: How To Prevent WhatsApp Hack: 7 Best Practices

UHS has since restored most affected computing systems at behavioral and acute care health hospitals, also bringing back systems vital to hospital operations including those needed for laboratory and for managing patient electronic records.

“With the back-loading of data substantially complete at this point, our hospitals are resuming normal operations,” the company explains.

UHS says that it has started the process of bringing back all business operations and information technology (IT) infrastructure immediately after the attack.

It has also investigated the ransomware attack’s potential attack with the help of third-party IT forensic and security vendors.

So far, UHS says that the ongoing investigation wasn’t able to find any evidence of unauthorized access, theft, or misuse of patient or employee data.

However, “although we are unable to quantify the ultimate impact of the above-mentioned information technology security incident that we experienced in late September 2020, the incident could have an adverse effect on our future results of operations.”

Ryuk ransomware behind the attack

UHS hasn’t disclosed the nature of the nationwide September attack on its systems in the initial disclosure statement or today’s report and 8K filing.

However, BleepingComputer found from a UHS employee that files were being renamed on impacted systems to include the .ryk extension used by Ryuk ransomware.

Another employee told BleepingComputer that one of the affected systems’ screens displayed a ransom note reading “Shadow of the Universe,” a similar phrase to that usually displayed at the bottom of Ryuk ransom notes.

Based on info shared by Advanced Intel’s Vitali Kremez, the attack on UHS’ systems most likely started via a phishing attack.

Advanced Intel’s Andariel intelligence platform detected both the Emotet and TrickBot trojans affecting UHS throughout 2020 and even more recently, during September 2020, according to Kremez.

Also Read: 15 Best Tools For Your Windows 10 Privacy Settings Setup

Emotet is being delivered onto victims’ computers via phishing emails containing malicious attachments that deploy the malware payloads.

In some cases, Emotet will subsequently also install TrickBot which eventually opens a reverse shell to the Ryuk operators after collecting and exfiltrating sensitive data from infected devices.

The Ryuk actors manually deploy the ransomware payloads on network devices using PowerShell Empire or PSExec after a reconnaissance stage once they gain network access and admin credentials.

Unfortunately, while UHS says that they haven’t found evidence of any stolen patient or employee data, with ransomware attacks there is always a higher chance of it happening rather than not, further increasing the damage.

Ongoing Ryuk ransomware campaign targeting healthcare

In a joint advisory issued on Wednesday, the U.S. government warned of active Ryuk ransomware attacks against healthcare industry organizations including hospitals and healthcare providers.

“CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers,” the advisory says.

In a call with the healthcare industry stakeholders, the U.S. govt agencies also advised healthcare orgs to secure their networks by preparing network lockdown protocols, reviewing incident response plans, installing patches on Windows servers and edge gateway devices, limiting personal email, as well as setting up strategies on where to redirect patients in the event of an attack.

This week, Sky Lakes Medical Center in Oregon and St. Lawrence Health System in New York were both hit by Ryuk ransomware, followed by the Wyckoff Heights Medical Center hospital in Brooklyn and multiple hospitals in the University of Vermont Health Network.

Charles Carmakal, senior vice president and CTO of Mandiant, told BleepingComputer earlier this week that an Eastern European hacking group tracked as UNC1878 is behind this attack spree and that they plan to attack hundreds of other hospitals.