US hospitals under 'imminent threat' of ransomware attack, say CISA and the FBI

'Brazen, heartless and disruptive threat actors' deliberately targeting health facilities during the pandemic

The US Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the Department of Health and Human Services (HHS) have put out a joint warning that cyber criminals are actively attacking medical facilities and institutions using ransomware, just as Covid-19 cases are rising rapidly once again.

The agencies say they have "credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers," by threat actors using Trickbot malware.

Trickbot started as a banking trojan designed to steal financial information and credentials, but its use cases have been extended with new functionality, including the deployment of ransomware.

Ransomware, often the Ryuk strain, is deployed as a payload of the Trickbot trojan, whose users have developed a variety of ways of concealing its presence on a network and communications with command and control (C2) servers. Once activated, Ryuk encrypts files, deletes local backups and attempts to shut down protective systems. Organisations are recommended to update all software as soon as patches and upgrades are available, disconnect systems from the internet if possible, and to maintain offline backups of important files.

A number of medial facilities in the US have already been attacked with ransomware in the past few days, with security experts pointing the finger at Russia-based cybercrime group Wizard Spider, or UNC 1878, Reuters reports.

"This appears to have been a coordinated attack designed to disrupt hospitals specifically all around the country," said Allan Liska, a threat intelligence analyst with US cybersecurity firm Recorded Future, as reported by Reuters.

"While multiple ransomware attacks against healthcare providers each week have been commonplace, this is the first time we have seen six hospitals targeted in the same day by the same ransomware actor."

"UNC 1878 is one of the most brazen, heartless, and disruptive threat actors I've observed over my career," said Charles Carmakal, senior vice president of security vendor Mandiant. "Multiple hospitals have already been significantly impacted by Ryuk ransomware and their networks have been taken offline."

While hospitals are frequent targets for cybercrime groups, many have desisted during the pandemic, so the current wave of attacks is a worrying turn of events.

The Trickbot botnet used to deliver the malware is a growing menace, and a fortnight ago Microsoft announced a major offensive to take down its backend infrastructure, which uses over a million infected systems to spread ransomware and steal financial and personal data as well as delivering ransomware.