An uptick in the Russian language criminal underground in the run up to the 2020 US presidential election, suggested a massive coordinated campaign to disrupt the United States by destructive ransomware attacks against US hospitals and other healthcare delivery organizations. According to the New York Times, the Russian hackers, believed to be based in Moscow and St. Petersburg, have been trading a list of more than 400 hospitals they plan to target, according to Alex Holden, the founder of Hold Security, who shared this information with the F.B.I.
The planned attacks are thought to be leveraging Trickbot, a so-called botnet of infected computers, and Ryuk, a type of ransomware. The Ryuk strain of ransomware accounted for 75% of the attacks on the U.S. health-care sector in October, according to Checkpoint and has caused massive disruption to hospitals and interrupted critical patient services.
According to Bloomberg, the hacking group responsible — known among some experts as UNC1878 and others as Wizard Spider — has already hit at least nine hospitals in three weeks, crippling critical computer systems and demanding multimillion-dollar ransoms.
Whether this was party motivated by the Kremlin to weaken pluralist resolve and confidence in the US election systems is so far unknown, as is any intended manipulation of results to favor one presidential candidate over another. The Russian state is known from past attacks to use freelance criminal proxies in the orchestration of some if not many of its cyberattacks.
What is known however, is that the United States Cyber-Command in coordination with Microsoft and other technology companies, managed to take down the majority of an extensive global Trickbot network a few weeks before this threat was first discovered, so this may have been an attempted retribution for cyber-criminals.
The threat was considered so great, and so many prime US hospitals mentioned by name in criminal underground conversations, that the CISA, FBI and HHS held several joint briefings for hospital executives and those who support them. These briefings outlined the nature of the threat, and advised HDOs to be on the look out for anomalous activity that could be an indicator of compromise (IOC), while patching known attack vectors and other security vulnerabilities with all due haste.
The American College of Clinical Engineering in support of its members, requested that Cylera and its threat intelligence entity CyleraLabs based in Madrid, provide a deeper drive on the Ryuk ransomware family, and brief the ACCE membership on IOCs while providing advice to member hospitals how to prevent and recover from any such attack. The following briefing and panel discussion with MDs, security leaders and clinical engineers is the result of that request.