Urgent Bulletin: FBI Alert on Imminent Ransomware Attack on U.S. Hospitals
Published On October 29, 2020
October 29, 2020 - ATLANTA, GA - CORL Technologies has been advised of a credible and imminent ransomware attack on the US healthcare system from an eastern European criminal group. The FBI, HHS, DHS, the CISA, and several other sources have advised that a coordinated attack on the healthcare system is planned for over 400 healthcare entities and may already be underway.
The CISA reports, “CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers. CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.”
The specific attack leverages a ransomware known as “Ryuk,” which locks up a victim’s computer until payment is received. The attack also leverages a specific set of malware known as Trickbot. CORL has received reports of healthcare entities battling new ransomware and malware attacks this week, however, these have not yet been formally tied back to the Ryuk and Trickbot attacks.
Charles Carmakal, senior vice president for Mandiant, told Reuters that this cybercriminal group UNC1878 is “one of most brazen, heartless, and disruptive threat actors he’s observed over the course of his career”. “We are experiencing the most significant cyber security threat we’ve ever seen in the United States”, said Carmakal.
- Review the specific attack vectors and indicators of compromise listed in the resources section below to evaluate for potential infection of the Ryuk/Trickbot malware
- Monitor connections with third parties including VPNs and be prepared to sever links to infected vendors
- Maintain offline, encrypted backups of data and to regularly test your backups
- Create, maintain, and exercise a basic cyber incident response plan and associated communications plan
- Accelerate any pending security patches
- Review incident response and business continuity plans this week to prepare for potential attacks
- Focus on awareness and training; advise the workforce of threats - such as ransomware and phishing scams - how they are delivered, and whom to contact if they observe suspicious activity
- Know how to contact federal authorities when phones are down or communication systems become unavailable
- Continue to monitor the situation and make adjustments and communications internally to the organizations as needed
- CISA/FBI/HHS Alert (AA20-302A) - Ransomware Activity Targeting the Healthcare and Public Health Sector
- Mandiant Indicators of Compromise - UN1878 indicators of compromise for the Ryuk attack
- Center for Internet Security (CIS) - Technical Details for the Trickbot malware
- HHS Cyber Alerts - Critical Infrastructure Protection for the Healthcare and Public Health Sectors; there is a link to “join our mailing list.”
- FBI Contact Information (Email Link) - Call FBI cyber division: 855-292-3937, email them at [email protected] or go to your local FBI office. Include: date, time, location, type of equipment impacted, name of submitting company, point of contact, and number of people affected
- FDA Medical Device Security Contact (Email Link) - If you experience an incident related to medical devices, contact the FDA at [email protected]
- CISA’s Ransomware Guide and Ransomware Page - Ransomware prevention and response guidance
- OCR’s HIPAA Ransomware Fact Sheet - Fact sheet: Ransomware and HIPAA
- Meditology Services Ransomware Podcast - The Rising Stakes of Ransomware During the Global Pandemic
CORL will continue to monitor the situation and will advise of updates on our news and events portion of our website as this situation unfolds. Contact us if you have any questions or if we can help you with your preparation or response to these ransomware attacks.
Stephanie Attaway, CORL Technologies