One of the largest U.S. healthcare providers was hit with a ransomware attack over the weekend and has been without their internal I.T. systems since Sunday morning. Universal Health Services (UHS), a Fortune 500 company, manages more than 400 hospitals and healthcare centers within the U.S. and U.K. Early reports indicate that the entire UHS network was impacted, but several locations have denied being affected.
UHS staff have been instructed to keep their systems offline and it goes without saying what the real world impact could be given the nature of the healthcare industry. According to social media reports, many patients have been turned away from locations or redirected to other facilities. An employee at a Pennsylvania location reported that Sunday morning when attempting to distribute medication, the employees couldn’t access the electronic records that track medication distribution. The associate reported they had to verbally confirm with the patients what medications they needed. Later in the day on Sunday, it was reported employees stopped distributing medication due to the lack of access to patient records and potential risk of relying on verbal confirmation from patients.
The UHS attack allegedly occurred overnight sometime between late Saturday night and early Sunday morning. In SpearTip’s experience, attacks like these often occur outside of business hours and on weekends with the hopes that network security teams aren’t fully staffed during those hours. This makes a successful attack much more likely with less eyes watching out for security events.
Early accounts are reporting that the ransomware variant used to hit UHS is Ryuk. Ryuk attacks have been quiet the last few months but this could be a sign that the Ryuk operators may be gearing up for another intensive campaign. An internal employee reported that files were encrypted with a .ryk file extension as is typical with files encrypted by Ryuk. The ransom note also included the phrase, “Shadow of the Universe”, which is typical wording within Ryuk ransom notes.
According to the security researcher Vitali Kremez, there’s been evidence that UHS has been impacted by both the banking trojans Emotet and TrickBot at different times in 2020. This evidence could be unrelated to the ransomware incident, but SpearTip has responded to countless ransomware infections where the root cause of the incident was related to Emotet and TrickBot infections that made their way into the internal network through malicious email attachments.
SpearTip has also handled numerous Incident Responses cases related to the Ryuk ransomware variant. In our experience, malicious email attachments containing Emotet/TrickBot gave the Threat Actors that initial access into the environment. From there, the Threat Actors would begin performing reconnaissance, elevate their privileges, and move laterally throughout the network before dropping their payload. The Ryuk actors have been known to use PowerShell Empire for reconnaissance, privilege escalation and lateral movement and use PsExec to distribute the malicious payload across internal networks.
Reports are stating that the Threat Actors were able to successfully disable multiple anti-virus tools during the attack. Between this fact and the attack occurring overnight on a weekend with limited staffing, there’s a number of lessons enterprise organizations can learn from this example. Enterprise defenders should not sleep well at night if their organization is relying on traditional anti-virus tools to keep them safe. The fact that these tools can be bypassed with ease is no surprise to SpearTip; we see this all of the time. In order to better protect endpoints, a reliable EDR tool needs to be installed on all workstations and servers. Organizations also should understand that protecting networks from ransomware is not a nine-to-five gig; you need skilled security professionals monitoring alerts, logs, and network traffic around the clock.
SpearTip’s ShadowSpear® Platform is battle tested against Ryuk. In order for Ryuk to run successfully, it needs to inject its code into legitimate processes running in memory. ShadowSpear’s Memory Injection Prevention module specifically will prevent and detect Ryuk. Our Security Operations Center (SOC) is also fully staffed around the clock with skilled Analysts that protect our partners from middle-of-the-night attacks.
SpearTip is constantly watching for new malware and manipulative programs. Our 24/7 Security Operations Center (SOC) is fully staffed with cybersecurity professionals to monitor and protect your environment. Not only are our cybersecurity teammates continuously preventing cyberattacks, but also able to deploy our proprietary tool, ShadowSpear® in an environment before or after an attack.