Cyber Events

CISA warns of disruptive ransomware attacks on US hospitals

 

Healthcare providers across the US are warned about massive new ransomware attacks that could impact their ability to treat COVID-19 patients.

The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert after healthcare providers after multiple hospitals suffered ransomware attacks from an Eastern European cybercriminal gang known as Wizard Spider.

Wizard Spider targeted a total of six hospitals within a single day. The hospitals are located in Oregon, California, and New York. Resultantly, most of the patients had to be shifted to other facilities.

The attacks are referred to as the most disruptive cyber-attacks the healthcare sector received during the COVID-19 pandemic.

As per the notice, Wizard Spider has launched a massive new ransomware campaign that could affect their ability to treat coronavirus patients.



The alert was jointly issued by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Department of Health and Human Services (HHS). It is worth noting that HHS was also under attack in March 2020 which the service claimed was carried out to halt Coronavirus response in the country.

The agencies claim that the attackers are using Ryuk ransomware variant and TrickBot malware for targeting the healthcare sector. Ryuk ransomware was first discovered in 2018. Cybercriminals often use it for deploying off-the-shelf tools, including PowerShell Empire and Cobalt Strike, for stealing credentials and maintaining persistence.

How Ryuk works

TrickBot, despite being dismantled a couple of weeks ago, is one of the most devastating of all malware currently used by threat actors. It was originally designed as a banking trojan and now offers a range of functions, including POS data harvesting and crypto-mining.

The latest variant used against the US healthcare providers utilizes a new module, Anchor_DNS, which has been added to TrickBot by its authors. By adding this new module, the attackers can use DNS tunneling to keep C&C communications discreet and seamlessly exfiltrate data from high-profile targets.



The CISA has warned that to move laterally, attackers are deploying various techniques, including Windows Management Instrumentation (WMI), Windows Remote Management, PowerShell, and Remote Desktop Protocol (RDP). 

According to Reuters, Wizard Spider is also known as UNC1878. According to Charles Carmakal, CTO at Mandiant, this gang is among the most “brazen, heartless, and disruptive threat actors” ever.

Carmakal also stated that the latest array of ransomware attacks against the US’s healthcare system could be the most dangerous cybersecurity threat that they have seen in recent times.

 

To Top

Pin It on Pinterest

Share This