A recent wave of ransomware attacks has infected more hospitals than previously known, including a University of Vermont network with locations in New York and Vermont.
The University of Vermont Health Network is analyzing what appears to be a ransomware attack from the same cybercrime gang that has infected at least three other hospitals in recent weeks, according to two sources familiar with the investigation who weren’t authorized to comment about it before it is complete.
Several federal agencies warned Wednesday of “an increased and imminent cybercrime threat” to the country’s health care providers, particularly from a gang that uses a strand of ransomware called Ryuk. The U.S. has repeatedly hit record highs for daily confirmed coronavirus infections.
The FBI and the Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security, sent an updated alert Thursday night with new technical information, adding that they have “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.”
As many as 20 medical facilities have been hit by the recent wave of ransomware, said a person with knowledge of the matter, who spoke on the condition of anonymity because they weren’t authorized to speak publicly. The figure includes multiple facilities within the same hospital chain.
Three other hospital chains have recently confirmed cyberattacks, believed to be ransomware, by the same gang: the Sky Lakes Medical Center, with 21 locations in Oregon; Dickinson County Healthcare System in Michigan and Wisconsin; and the St. Lawrence Health System in northern New York. It was not clear how much of their systems or how many locations had been hit by the ransomware.
Tom Hottman, a spokesperson for Sky Lakes Medical Center, confirmed that the company had been infected with Ryuk and said its computers were inaccessible, halting radiation treatments for cancer patients.
“We’re still able to meet the care needs for most patients using work-around procedures, i.e. paper rather than computerized records. It’s slower but seems to work,” he said in an email.
Joe Rizzo, a spokesperson for Dickinson, said in an email that their hospitals and clinics are using paper copies for some services because computer systems are down.
Rich Azzopardi, senior adviser to New York Gov. Andrew Cuomo, said the state’s Division of Homeland Security and Emergency Services and other groups had been in communication about the St. Lawrence attack.
Details about a major wave of ransomware attacks on U.S. hospitals began to emerge at the end of September when computer systems for Universal Health Services, one of the biggest hospital chains in the country, were hit, forcing some doctors and nurses to use pen and paper to file patient information. Jane Crawford, the chain’s director of public relations, said in an email at the beginning of October that no one had died because of the attack.
Ransomware attacks often gain access to secure systems and then encrypt files. The people behind the attacks then demand money to decrypt the files.
Ryuk is transmitted through
Hundreds of American hospitals are being targeted in cyberattacks by the same Russian hackers who American officials and researchers fear could sow mayhem around next week’s election.
The attacks on American hospitals, clinics and medical complexes are intended to take those facilities offline and hold their data hostage in exchange for multimillion-dollar ransom payments, just as coronavirus cases spike across the United States.
“We expect panic,” one hacker involved in the attacks said in Russian during a private exchange on Monday that was captured by Hold Security, a security company that tracks online criminals.
Some hospitals in New York State and on the West Coast reported cyberattacks in recent days, though it was not clear whether they were part of the attacks, and hospital officials emphasized that critical patient care was not affected.
The Russian hackers, believed to be based in Moscow and St. Petersburg, have been trading a list of more than 400 hospitals they plan to target, according to Alex Holden, the founder of Hold Security, who shared the information with the F.B.I. Mr. Holden said the hackers claimed to have already infected more than 30 of them.
On Wednesday, three government agencies — the F.B.I., the Department of Health and Human Services and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency — warned hospital administrators and security researchers about a “credible threat” of cyberattacks to American hospitals, according to a security executive who listened to the briefing.
Officials and researchers did not name the affected hospitals, but Sonoma Valley Hospital in California said it was still trying to restore its computer systems after an intrusion last week. St. Lawrence Health System in New York confirmed that two of its hospitals, Canton-Potsdam and Gouverneur, were hit by ransomware attacks Tuesday morning that caused them to shut down computer systems and divert ambulances. Sky Lakes Medical Center in Oregon was also crippled by a ransomware attack Tuesday that froze electronic medical records and delayed surgeries, a hospital representative said.
Employees at that hospital, in Klamath Falls, Ore., were told, “If it’s a P.C., shut it down,” said Thomas Hottman, the public information officer at Sky Lakes.
It was unclear whether those attacks were related to the hacking campaign underway. But the latest breaches were linked to the same Russian hackers who held Universal Health Services, a giant network of more than 400 hospitals, hostage with ransomware last month in what was then considered the largest medical cyberattack of its kind.
The hackers are also the same group behind TrickBot, a vast conduit for ransomware attacks that government hackers and technology executives have targeted in two takedowns over the past month.
In late September, United States Cyber Command started hacking into TrickBot’s infrastructure in an effort to disable it before the election. Microsoft also started taking down TrickBot servers via federal court orders over the past month. The goal of both efforts, officials and executives said, was to pre-empt ransomware attacks on the election that could disrupt voting