CISA warns of disruptive ransomware attacks on US hospitals

Healthcare providers across the US are warned about new ransomware attacks that could impact their ability to treat COVID-19 patients.


Healthcare providers across the US are warned about massive new ransomware attacks that could impact their ability to treat COVID-19 patients.

The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert after healthcare providers after multiple hospitals suffered ransomware attacks from an Eastern European cybercriminal gang known as Wizard Spider.

Wizard Spider targeted a total of six hospitals within a single day. The hospitals are located in Oregon, California, and New York. Resultantly, most of the patients had to be shifted to other facilities.

See: Ransomware attack on hospital causes patient’s death

The attacks are referred to as the most disruptive cyber-attacks the healthcare sector received during the COVID-19 pandemic.

As per the notice, Wizard Spider has launched a massive new ransomware campaign that could affect their ability to treat coronavirus patients.

The alert was jointly issued by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Department of Health and Human Services (HHS). It is worth noting that HHS was also under attack in March 2020 which the service claimed was carried out to halt Coronavirus response in the country.

The agencies claim that the attackers are using Ryuk ransomware variant and TrickBot malware for targeting the healthcare sector. Ryuk ransomware was first discovered in 2018. Cybercriminals often use it for deploying off-the-shelf tools, including PowerShell Empire and Cobalt Strike, for stealing credentials and maintaining persistence.

How Ryuk works

TrickBot, despite being dismantled a couple of weeks ago, is one of the most devastating of all malware currently used by threat actors. It was originally designed as a banking trojan and now offers a range of functions, including POS data harvesting and crypto-mining.

The latest variant used against the US healthcare providers utilizes a new module, Anchor_DNS, which has been added to TrickBot by its authors. By adding this new module, the attackers can use DNS tunneling to keep C&C communications discreet and seamlessly exfiltrate data from high-profile targets.

The CISA has warned that to move laterally, attackers are deploying various techniques, including Windows Management Instrumentation (WMI), Windows Remote Management, PowerShell, and Remote Desktop Protocol (RDP). 

See: Authorities bust hacker group planning to hit hospitals with ransomware

According to Reuters, Wizard Spider is also known as UNC1878. According to Charles Carmakal, CTO at Mandiant, this gang is among the most “brazen, heartless, and disruptive threat actors” ever.

Carmakal also stated that the latest array of ransomware attacks against the US’s healthcare system could be the most dangerous cybersecurity threat that they have seen in recent times.


Did you enjoy reading this article? Do like our page on Facebook and follow us on Twitter.

  1. Thank you for providing informative information about it. It is really helpful to understand that.

  2. I wish you were on Vk as I left Facebook & didn’t join any of these other social sites.

Comments are closed.

Related Posts