Ambulance car speeding blurred motion showing disruption of healthcare services due to Ryuk ransomware attack

Ryuk Ransomware Attack Disrupts Universal Healthcare Services Operations Resulting in Ambulance Diversions and Alleged Deaths

Despite some ransomware operators promising that healthcare services were out of bounds, one operator executed a successful attack against a major healthcare provider. Universal Healthcare Services (UHS), a Fortune 500 company, resorted to a manual system after the crippling Ryuk ransomware attack shut down its computer systems.

UHS employees took to social media to announce the attack that affected several branches of the healthcare provider. Ryuk ransomware was implicated in the attack after a typical ransom note popped up on the affected computers.

One Reddit user claimed that four patients died because of delayed medical assistance arising from the Ryuk ransomware attack. The Redditor claimed that the healthcare facility was sending patients to smaller hospitals in ambulances, while test results were delivered by courier services. Other UHS employees said that healthcare services were likely to be disrupted despite the assurances given by the hospital’s management.

UHS operates over 400 hospitals serving millions of patients across the United States and the United Kingdom.

Ryuk ransomware attack indicators of compromise

The primary evidence of the Ryuk ransomware attack was a ransom note with the words

“Shadow of the Universe” which is associated with ransomware operators. The note popped up on every compromised computer according to UHS employees. Additionally, the encrypted files had a “.RYK” extension added to them, which is typical of a Ryuk ransomware infection.

Ryuk ransomware belongs to the Wizard Spider Russian cybercrime gang, according to threat intelligence firm, CrowdStrike. The cybercrime gang targets large organizations and has attacked Pitney Bowes logistics firm and the U.S. Coast Guard in the past.

The ransomware primarily targeted financial services in the past but has diversified its attacks to include healthcare services and other major organizations. Ryuk ransomware operators are known for making very high ransom demands.

Although some ransomware operators promised to stay off healthcare services during the COVID-19 pandemic, Ryuk ransomware made no such promises.

UHS Ryuk ransomware attack timeline

The attack started in the wee hours of Monday, Sep 28. UHS employees took to Reddit and other social media platforms to announce the attack on Universal Healthcare services. They indicated that various UHS branches had resorted to using a manual system after the cyberattack crippled their computer systems. The employees said the healthcare services provider was turning away patients through ambulance diversion.

One employee said that workers at the facility had no access to “anything computer-based” including EKGs or PACS radiology systems. Another Georgia-based UHS worker said they were handwriting everything and were not allowed to switch on the computers.

Adam Laub, the General Manager at Stealthbits Technologies, says ransomware attacks against healthcare providers were sinister and shameful, especially during a global pandemic.

“Cyberattacks that so directly impact human life are particularly sinister and shameful. Especially in the thick of a global pandemic, targeting healthcare institutions undoubtedly puts these sorts of cybercriminals on a different level than even those who have impacted hundreds of millions of consumers in a single act, like we’ve seen at organizations like Equifax, MySpace, and eBay in recent years. Frustratingly, these cybercriminals – whether small hacker groups or well-resourced nation-states – are but 1’s and 0’s in the ether and will likely never be brought to justice for their crimes.”

Commenting on the story, Sanjay Jagad, a senior director of products and solutions at Cloudian, says such attacks undermine the reputation of the affected organization. He further noted that perimeter security solutions inevitably fall short against increasingly sophisticated ransomware attacks.

“To truly safeguard themselves, organizations must instead protect data at the storage layer. The easiest way to do this is to keep a backup data copy on immutable storage: once written, the backup cannot be changed or deleted for a specific period. This prevents malware from being able to encrypt the data and lock the victim out. If a ransomware attack occurs, organizations can restore an unencrypted copy of the data via a simple recovery process. In the past, you needed specialized storage devices to get this feature. However, select enterprise storage systems now offer a new feature called Object Lock to provide such immutability.”

Universal Healthcare Services response

The healthcare facility released a statement saying that the “IT network across Universal Health Services (UHS) was offline because of an IT security issue.” The healthcare provider added that it would “implement extensive IT security protocols and are working diligently with its security partners to restore IT operations as quickly as possible,” and that no patient or employee data was accessed, copied, or misused during the Ryuk ransomware attack.

UHS added that it had established backup processes including offline documentation methods and that “Patient care continues to be delivered safely and effectively.”