Federal agencies warn that cybercriminals are unleashing a major ransomware assault against the US health care system. Independent security experts say it has already hobbled at least five hospitals this week and could potentially affect hundreds more.
In a joint alert on Wednesday, the FBI and two other federal agencies warned they had “credible information of an increased and imminent cybercrime threat to US hospitals and health care providers.”
They said that “malicious cyber actors” are targeting the sector with ransomware that could lead to “data theft and disruption of healthcare services.”
The aggressive offensive, by a Russian-speaking criminal gang, coincides with the presidential election, though there was no immediate indication it was motivated by anything but profit.
“We are experiencing the most significant cybersecurity threat we’ve ever seen in the United States,” Charles Carmakal, chief technical officer of the cybersecurity firm Mandiant, said in a statement. He’s concerned that the group may deploy malware to hundreds of hospitals over the next few weeks.
Late Wednesday, Rhonda Mann, a spokeswoman for Tufts Medical Center, said, “We have not been directly targeted but we are aware of it. Our information security team is on high alert and we have taken extra precautions to ensure our data remains safe.”
Alex Holden, the CEO of Hold Security, which has been closely tracking the ransomware in question for more than a year, agreed that the unfolding offensive is unprecedented in magnitude for the United States. Administrative problems caused by ransomware, which scrambles data into gibberish that can be unlocked only with software keys provided once targets pay up, could further stress hospitals burdened by a nationwide spike in COVID-19 cases.
The cybercriminals suspected of the attacks use a strain of ransomware known as Ryuk, which is seeded through a network of zombie computers called Trickbot that Microsoft began trying to counter earlier in October. While the company has had considerable success knocking Trickbot command-and-control servers offline through legal action, analysts say criminals have still been finding ways to spread Ryuk.
The United States has seen a plague of ransomware over the past 18 months or so.
In September, a ransomware attack hobbled all 250 US facilities of the hospital chain Universal Health Services, forcing doctors and nurses to rely on paper and pencil for record-keeping and slowing lab work. Employees described chaotic conditions impeding patient care. Also in September, the first known fatality related to ransomware occurred in Duesseldorf, Germany, when an IT system’s failure forced a critically ill patient to be routed to a hospital in another city.
Holden said he alerted federal law enforcement Friday after monitoring infection attempts at a number of hospitals, some of which may have beaten back infections. The FBI did not immediately respond to a request for comment.
He said the group was demanding exorbitant ransoms well above $10 million per target and that criminals involved on the dark Web were discussing plans to try to infect more than 400 hospitals, clinics, and other medical facilities.
“One of the comments from the bad guys is that they are expecting to cause panic and, no, they are not hitting election systems,” Holden said. “They are hitting where it hurts even more, and they know it.” US officials have repeatedly expressed concern about major ransomware attacks affecting the presidential election, even if the criminals are motivated chiefly by profit.
Mandiant’s Carmakal identified the criminal gang as UNC1878, saying “it is deliberately targeting and disrupting US hospitals, forcing them to divert patients to other health care providers” and forcing prolonged delays in critical care in the midst of the worst pandemic in a century.
He called the Eastern European group “one of most brazen, heartless, and disruptive threat actors I’ve observed over my career.”
While no provable ties between the Russian government gangs that use the Trickbot platform have been established, Holden said, “I absolutely have no doubt that the Russian government is aware of this operation — of terrorism, really.” He said dozens of criminal groups use Ryuk, paying its architects a cut.
Neither security researcher would identify the affected hospitals. Four health care institutions have been reported hit by ransomware this week, three belonging to the St. Lawrence County Health System in upstate New York and the Sky Lakes Medical Center in Klamath Falls, Ore.
A total of 59 US health care providers or systems have been affected by ransomware in 2020, disrupting patient care at up to 510 facilities, said Brett Callow, an analyst at the cybersecurity firm Emsisoft.
Carmakal said Mandiant had provided Microsoft on Wednesday with as much detail as it could about the threat so it could distribute details to its customers. A Microsoft spokesman had no immediate comment.
Globe correspondent Jeremy C. Fox contributed to this report.