FBI warns of ransomware assault
BOSTON — Federal agencies warned that cybercriminals could unleash a wave of datascrambling extortion attempts against the U.S. health care system, an effort that, if successful, could paralyze hospital information systems just as nationwide cases of COVID-19 are spiking.
In a joint alert Wednesday, the FBI and two federal agencies said they had credible information of “an increased and imminent cybercrime threat” to U.S. hospitals and health care providers. The alert said malicious groups are targeting the sector with attacks aiming for “data theft and disruption of healthcare services.”
The impact of the expected attack wave is difficult to assess.
It involves a particular strain of ransomware, which scrambles a target's data into gibberish until they pay up. Previous such attacks on health care facilities have impeded care and, in one case in Germany, led to the death of a patient, but such consequences are still rare.
The federal warning itself could help stave off the worst consequences, either by leading hospitals to take additional precautions or by expanding efforts to knock down the systems cybercriminals use to launch such attacks.
The offensive coincides with the U.S. presidential election, although there is no immediate indication the cybercriminals involved are motivated by anything but profit. The federal alert was co-authored by the Department of Homeland Security and the Department of Health and Human Services.
Independent security experts say the ransomware, called Ryuk, has already impacted at least five U. S. hospitals this week and could potentially affect hundreds more. Four health care institutions have been reported hit by ransomware so far this week, three belonging to the St. Lawrence Health System in upstate New York and the Sky Lakes Medical Center in Klamath Falls, Oregon.
Sky Lakes acknowledged the ransomware attack in an online statement, saying it had no evidence that patient information was compromised. It said emergency and urgent care “remain available.”
The St. Lawrence system also acknowledged a Tuesday ransomware attack, noting in a statement released Thursday that no patient or employee data appeared to have been accessed or compromised. Matthew Denner, the emergency services director for St. Lawrence County, told the Adirondack Daily Enterprise that the hospital owner instructed the county to divert ambulances from two of the affected hospitals for a few hours Tuesday. The company did not return requests for comment on that report.
Alex Holden, CEO of Hold Security, which has been closely tracking Ryuk for more than a year, said the attack could be unprecedented in magnitude for the U. S. In a statement, Charles Carmakal, chief technical officer of the security firm Mandiant, said the cyberthreat could be the “most significant” the country has ever seen.
The U.S. has seen a plague of ransomware over the past 18 months or so, with major cities from Baltimore to Atlanta hit and local governments and schools walloped especially hard.
In September, a ransomware attack hobbled all 250 U. S. facilities of the hospital chain Universal Health Services, forcing doctors and nurses to rely on paper and pencil for record-keeping and slowing lab work. Employees described chaotic conditions impeding patient care, including mounting emergency room waits and the failure of wireless vital- signs monitoring equipment.
Also in September, the first known fatality related to ransomware occurred in Duesseldorf, Germany, when an IT system failure forced a critically ill patient to be routed to a hospital in another city.