Ransomware Cripples UHS Hospitals Across the Nation - Security Boulevard

Ransomware Cripples UHS Hospitals Across the Nation

Universal Health Services discovered all its Windows PCs had shut down over the weekend. It looks like a widespread Ryuk ransomware infection.

And now the PCs won’t boot. So medical staff are back to using paper and faxes.

FinConDX 2021

Elsewhere, the predictable data leaks have started—if victims don’t pay the ransom, that is. For example, a Las Vegas–area school district found private employee and student data online. In today’s SB Blogwatch, we debate the rights and wrongs of paying ransom demands.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Dread the Slammer.


To Pay or Not to Pay?

What’s the craic, Zack? Mister Whittaker reports—“Healthcare giant UHS hit by ransomware attack”:

 One of the largest healthcare providers in the U.S. has been hit by a ransomware attack. The attack hit UHS systems early on Sunday morning, according to two people with direct knowledge of the incident, locking computers and phone systems at several UHS facilities across the country.

One of the people said the computer screens changed with text that referenced the “shadow universe,” consistent with the Ryuk ransomware. … The Ryuk ransomware is linked to a Russian cybercrime group, known as Wizard Spider. … Ryuk’s operators are known to go “big game hunting” and have previously targeted large organizations, including shipping giant Pitney Bowes and the U.S. Coast Guard.

UHS has 400 hospitals and healthcare facilities in the U.S. and the UK, and serves millions of patients each year.

Ouch. Jane Crawford is UHS’s PR director—“Statement from Universal Health Services”:

 The IT Network across … UHS facilities is currently offline, due to an IT security issue. We implement extensive IT security protocols and are working diligently with our IT security partners to restore IT operations as quickly as possible.

Our facilities are using their established back-up processes including offline documentation methods. Patient care continues to be delivered safely and effectively.

No patient or employee data appears to have been accessed, copied or misused.

But WaffleMonster thinks that’s just PR waffle:

 How would they know? … How can huge numbers of systems get rooted while … statements like, “No patient or employee data appears to have been accessed, copied or misused.” always seem to make their way into these sorts of public announcements?

Nevertheless, be thankful for small mercies. Tawnell D. Hobbs tells this tale of woe—“Hacker Releases Information on Las Vegas-Area Students”:

 A hacker published grades, Social Security numbers and financial information after a Las Vegas-area school district refused to pay ransom to get back control of their servers. [It] demonstrates an escalation in tactics for hackers who have taken advantage of schools heavily reliant on online learning during the pandemic.

Hackers have attacked school districts and other institutions with sensitive information even before the pandemic, typically blocking users’ access to their own computer systems unless a ransom is paid. In those instances, the so-called ransomware crippled the district’s operations but hackers didn’t usually expose damaging information about students or employees.

Some districts have paid ransoms … ranging from $25,000 to over $200,000, deciding that rebuilding servers is more costly and could delay learning for weeks. Consultants often advise districts that hackers generally have a good record of releasing control of the servers upon payment to entice others to pay in the future.

And Aaron Holmes adds—“Nevada school district refused to pay ransom”:

 Brett Callow … with cybersecurity firm Emsisoft … discovered leaked documents published to an online hacking forum … including students’ names, social security numbers, addresses, and some financial information. … The district previously disclosed that it suffered a ransomware attack during its first week of online classes.

At least 60 school districts and universities in the US have been targeted by ransomware attacks this year. … The attacks put targets between a rock and a hard place, forcing them to choose whether to pay hefty ransoms to criminals or to risk people’s personal information being leaked online.

A Clark County School District spokesperson did not immediately respond to a request for comment.

But it is as bad as it seems? We have met Dr. Jane “Dissent” Doe and she is us:

 Yes, there is some employee personally identifiable information like SSN and rates, and I don’t mean to minimize the risk of that data being dumped. But what got dumped does not include W-2 files or other personnel records. Nor are any of the truly sensitive student files in the data dump.

Those who are not familiar with data protection of student data in the U.S. may understandably describe it as [sensitive]. Districts are allowed to make certain types of student information publicly available as “directory information” under the federal law that protects the privacy of education records (FERPA). Districts get to decide what types of data they will [make] publicly available.

Students’ names, grade levels, birth dates, and schools attended are not considered sensitive or protected information, however upsetting it may to be parents to hear about a breach. … I have not seen any really sensitive student information so far — no student medical records, no student disciplinary records, no social work or psychological records, and no special education assessments or records.

Are employees at some risk from the dumping of their data? Yes. Are the students? Not so much, unless some student’s family was trying to escape location by an abusive family member.

But locked-out hospitals, though. From the inside, it’s graynova66:

 I have worked at a UHS facility in the SE US for over 7yrs. … At approx 2AM, systems in our ED just began shutting down. I was sitting at my computer charting when all of this started. It was surreal and definitely seemed to propagate over the network. … When the attack happened multiple antivirus programs were disabled by the attack and hard drives just lit up with activity. After 1min or so of this the computers logged out and shutdown. When you try to power back on the computers they automatically just shutdown.

Working “old school” last night with everything on paper downtime forms. … We have no access to anything computer based including old labs, EKGs, or radiology studies. We have no access to our PACS radiology system. No patients died tonight in our ED but I can surely see how this could happen in large centers due to delay in patient care.

Moral hazard 101: To pay the ransom, or not to pay it? gweihir goes even further than “not”:

 I am all for making it actually illegal and criminal to pay ransomware attackers. That may have the desired effect.

Far too many organizations are far too vulnerable to this for it to stop anytime soon. Comparing to the industrial revolution, this “computer” thing is still in the phase where the steam engines blew up regularly, safety valves were considered optional and forget about getting a pressure vessel actually certified to any sane standards.

If you are successfully compromised by ransomware these days and cannot recover on your own, gross negligence is a given. This is a standard and expected threat these days. … Not to be prepared for it is to willfully ignore it.

What can be done? Shutting the door after the horse has bolted, it’s raxxorrax:

 Hospitals quickly need a powerful backup solution. … It is the best and perhaps only defense against ransomware.

The important thing is not to pay the ransom. The industry would die off like it should.

Backup solutions are on the expensive side. My company had multiple ransomware attacks but we could restore the data nearly on the fly because the backup solution did snapshots over the whole infrastructure.

Meanwhile, JeffOwl swearily agrees:

 You dumb MF-ers who keep paying these bastards. Stop it. Recover best as you can without paying the criminals, learn your lessons, invest in security, training, and backup infrastructure, and move on.

And Finally:

But is it art?

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: impulsQ UG (via Unsplash)

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 305 posts and counting.See all posts by richi