Updated Thursday at 10:55 a.m. ET
Some U.S. hospitals have been hit by coordinated ransomware attacks designed to infect systems for financial gain, federal agencies and a private-sector cybersecurity company warned on Wednesday.
A joint advisory by the Cybersecurity and Infrastructure Security Agency, the Department of Health and Human Services and the FBI says there is “credible information of an increased and imminent cybercrime threat” to U.S. hospitals and health care providers.
They are urging institutions to take necessary precautions to protect their networks.
The agencies said hackers are using Ryuk ransomware — malicious software used to encrypt data and keep it locked up — and the Trickbot network of infected computers to steal data, disrupt health care services and extort money from health care facilities. Such data hijacking often cripples online systems, forcing many to pay up to millions of dollars to restore their services.
⚠️ There is an imminent and increased cybercrime threat to U.S. hospitals and healthcare providers.
— Cybersecurity and Infrastructure Security Agency (@CISAgov) October 29, 2020
The agencies warned health care providers to step up protections of their networks, including regularly updating software, backing up data and monitoring who is accessing their systems.
Beyond health care facilities, the FBI says ransomware attacks have been on the rise for several years against hospitals, school districts, state and local governments and even law enforcement.
Officials do not recommend paying ransoms, as it does not guarantee data will be recovered and could “embolden” hackers to carry out further attacks.
CNN reports that an unnamed Trump administration official said several hospitals have been targeted in the attacks over the past two days. The official said the incidents may be connected and that the federal government is investigating the attacks.
Experts at the cybersecurity firm FireEye’s Mandiant division said the latest spate of attacks were carried out by cyberattackers in Eastern Europe seeking financial gain.
“We are experiencing the most significant cybersecurity threat we’ve ever seen in the United States,” said Charles Carmakal, Mandiant’s chief technology officer, describing the group as “one of most brazen, heartless and disruptive threat actors I’ve observed over my career.”
Carmakal told NPR’s Steve Inskeep that what makes these attacks notable is their target: hospitals.
“Most threat actors aren’t willing to deploy ransomware and cause destruction to hospitals right now during the pandemic because they’re worried about impacting lives,” he said. But in this case, the attacker is deliberately targeting hospitals “and has no real fear of potential human impact, and is just looking to make money.”
The company said the attacks typically start as emails masquerading as corporate communications containing Google Docs and PDFs with malicious links.
And such attacks could have life and death consequences.
As hospital administrators find out their systems are under attack, they often take those systems offline, Carmakal said. They then have to revert to paper-based systems to treat patients – and sometimes end up diverting patients to other hospitals, which could be minutes or hours away.
“No matter what, you’re going to deal with situations where the ability for the healthcare practitioners to give care to patients – it’s going to get delayed, which could certainly impact people’s lives.”