TechGuard Blog

Universal Health Services Falls Victim to Ransomware

Recently, one of the largest healthcare service providers, Universal Health Services, suffered a ransomware attack against multiple locations around the United States. According to UHS employees, locations in California, Florida, Texas, Arizona, and Washington DC were impacted, leaving them unable to access their computers and phone systems. The systems were affected by a ransomware known as Ryuk. Ryuk made headlines in the fall of 2019


Affecting Healthcare

This most recent incident comes less than two weeks after a ransomware attack in Germany. That attack resulted in the death of a patient, after the affected hospital had to divert ambulances to other hospitals. UHS has had to divert patients to other hospitals as well, and since the attack began there have been four deaths as doctors awaited lab results. It has not been verified that these deaths were directly due to the ransomware attack, however this most recent attack, coupled with the incident in Germany, will hopefully shine a light on the severity of cyberattacks and more specifically ransomware. If healthcare providers don't take cybersecurity seriously, these incidents will continue to happen, and unfortunately, they're going to get worse.

In the early days of the pandemic, many ransomware groups came forward to pledge that they would not attack healthcare providers during this time. One such group know as Maze pledged in March of 2020 to take it easy on the healthcare industry. Whether or not these groups can be trusted is TBD. However, the Ryuk group responsible for this attack was not one of them, and several groups have already gone back on their word. It's a nice sentiment, but it does not mean that security professionals can relax their posture, it's always better to be safe than sorry. We can't let our guards down, especially at a time like this.

UHS has turned to its backup processes that include offline documentation for methods of treatment to continue safely and effectively caring for patients the best that they can. Unfortunately, this greatly slows down patient treatment.


Attacked through phishing

According to cybersecurity professionals, it's believed that the attack started as a phishing scam. The Andriel intelligence platform detected trojans affecting UHS throughout 2020 and as recently as September. To get technical for a moment, the Emotet used in the phishing emails is also installing a Trickbot, which allows attacker to open a reverse shell to the attackers after sensitive information is harvested from the compromised networks. Once in the network, the attackers can gain administrative credentials and then deploy the ransomware payloads on network devices using PSExec. With this being a ransomware attack, there is a good chance that patient and employee data was stolen as well, increasing the damages.


What can be done?

The reality is that incidents like this one are often avoidable. It just takes an investment into cybersecurity, but when valuable data and even lives are on the line, it’s a worthy investment. Some proactive measures can be taken to avoid this type of attack.

  • Security Awareness Training – Training staff on basic cybersecurity practices can go a long way in keeping your company, employees and customers safe. If employees are trained on phishing emails and other tactics used by cybercriminals, they’ll better prepared to avoid falling for them and what mistakes to avoid.
  • Penetration Testing and Vulnerability Assessments – Proactively scanning your network and testing for vulnerabilities, will allow you to fix any issues before they’re exploited by an attacker.
  • Incident Response Planning and Exercise – Cybersecurity incidents should be avoided at all costs, but having a plan in place is critical. As an employee, business owner or cybersecurity profession it is your responsibility to ensure you are prepared to respond to incidents when they occur. . Incident response planning and exercises provide a means to test your current incident response plan and ensure that it is adequate before an incident occurs. These activities ensure that everyone will know how to appropriately respond to an incident and what the next steps are.


As technology advances, so do cybercriminals, and the trend doesn’t seem to be slowing down any time soon. That’s why our cybersecurity tactics must also advance in turn to keep up with the ever-changing threat landscape. Hospitals should become more technologically advanced to provide better and more efficient healthcare to their patients but in order to do that, they have to understand the risks involved and how to remediate them. Otherwise, they’ll continue to be the hardest hit industry when it comes to cyberattacks.


Learn more about how TechGuard Security can help your organization avoid a cyber incident.

Written by Matthew Rech