FBI, other agencies warn of 'imminent cybercrime threat' to U.S. hospitals

Ken Dilanian and Andrew Blankstein and Phil Helsel
·3 min read

Federal agencies are warning of "an increased and imminent cybercrime threat" to U.S. hospitals and healthcare providers, including so-called ransomware attacks.

The warnings were in a report released Wednesday, and authorities say that healthcare providers should take precautions to protect their systems.

The federal report says that the FBI, the Department of Health and Human Services, and the Cybersecurity and Infrastructure Security Agency have credible information about the threat.

The agencies say they have assessed that people are targeting the health sector with Trickbot malware, which in addition to data theft can result in ransomware attacks. Trickbot, among other illegal actions, can be used to deploy ransomware like Ryuk, a derivative of another type of ransomware.

With Trickbot, the malicious software typically is embedded in an email designed to fool the recipient into clicking on a link or document that then installs the malware.

Ransomware is generally described as a family of malware that blocks access to a PC, server or mobile device, or encrypts all the data stored on that machine.

To regain access, the user must pay a ransom. Typically, the payments are demanded in bitcoin.

"Ransomware attacks on our healthcare system may be the most dangerous cybersecurity threat we’ve ever seen in the United States," Charles Carmakal, senior vice president and chief technology officer of the cybersecurity firm Mandiant, said Wednesday.

Carmakal said that "UNC1878, an Eastern European criminal threat actor, is deliberately targeting and disrupting U.S. hospitals with ransomware, forcing them to divert patients to other healthcare providers."

That could cause longer wait times for care, and because of the Covid-19 pandemic, the danger of such attacks only increases, Carmakal said.

The federal report does not name UNC1878 and does not say who may be targeting health provider systems.

Related:

The FBI declined to comment, and the Cybersecurity and Infrastructure Security Agency, or CISA, did not immediately respond to a request for comment Wednesday.

A hospital in Oregon, Sky Lakes Medical Center, said Tuesday that it had been the victim of a ransomware attack, but it was not clear it was connected to the warning issued by the federal agencies.

The hospital in Klamath Falls said in a statement that there was no evidence that patient information has been compromised, but that "communications with the medical center will be a little complicated, however, until systems are restored." It also said that urgent and emergency care was still available and many scheduled procedures would go on as scheduled.

The three federal agencies do not recommend that victims pay the ransom, because there is no guarantee that files will be recovered, and paying may embolden others to carry out cyberattacks.

Ransomware was famously used in the global Wannacry cyberattack that crippled the U.K. National Health Service in 2017.

The WannaCry 2.0 ransomware attack struck computers in more than 150 countries.

Baltimore and the Florida cities of Riviera Beach and Lake City were the victims of ransomware attacks in 2019. In August 2019, 23 Texas towns were struck by what officials called a "coordinated" ransomware attack.

The report says that since 2016 the "cybercriminal enterprise" behind Trickbot have improved it, giving those who use it options to conduct a variety of cybercrimes that includes the deployment of ransomware like Ryuk.

Ryuk first appeared in August 2018 as a derivative of another type of ransomware, the report says.

The document lists a number of steps hospitals, health care systems and others should take to improve the security of their systems.