By Christopher Bing
WASHINGTON (Reuters) – The FBI is investigating the recent targeting with ransomware of more than two dozen hospitals across the United States by a sophisticated eastern European group, with a new wave of attacks in Oregon, California and New York becoming public just this week, according to three cybersecurity consultants familiar with the matter.
The heavy targeting of hospitals by this hacking group, known within the security industry as Wizard Spider or UNC-1878, has drawn the attention of federal law enforcement agencies and private sector cybersecurity investigators who say these types of digital attacks, which disrupt normal hospital operations, can lead to loss of life.
The attacks led to a teleconference call on Wednesday between hospital IT administrators, cybersecurity experts, FBI and Homeland Security officials.
A participant told Reuters that government officials warned hospitals to: make sure their backup systems were in order and to disconnect systems from the internet where possible.
The Federal Bureau of Investigation did not immediately respond to a request for comment.
“This appears to have been a coordinated attack designed to disrupt hospitals specifically all around the country,” said Allan Liska, a threat intelligence analyst with U.S. cybersecurity firm Recorded Future.
“While multiple ransomware attacks against healthcare providers each week have been commonplace, this is the first time we have seen six hospitals targeted in the same day by the same ransomware actor.”
In the past, ransomware infections at hospitals have downed patient record-keeping databases, which critically store up to date medical information, affecting hospitals’ ability to provide healthcare.
Two of the three consultants familiar with the attacks said the cybercriminals were commonly using a type of ransomware known as “Ryuk,” which locks up a victim’s computer until a payment is received.
The teleconference call participant said government officials detailed that the attackers used Ryuk and another trojan, known as Trickbot, against the hospitals.
“UNC1878 is one of most brazen, heartless, and disruptive threat actors I’ve observed over my career,” said Charles Carmakal, senior vice president for U.S. cyber incident response firm Mandiant.
“Multiple hospitals have already been significantly impacted by Ryuk ransomware and their networks have been taken offline.”
(Reporting by Christopher Bing; Editing by David Gregorio)