Cybercriminals target U.S. health care systems

Cybercriminals attacked at least six U.S. hospitals this week, including Sky Lakes Medical Center in Oregon. A three-agency national advisory was issued Thursday warning of an increased threat of cybercrime against health care and public health companies using Ryuk ransonware  — a type of malware that encrypts victims’ files. The alert was issued by the Cybersecurity and Infrastructure Agency (CISA), the Federal Bureau of Investigation (FBI) and the Department of Health and Human Services (HHS).

The hackers are demanding ransom of up to $1 million to unlock the system, according to a report by Washington Post.


Get the latest state-specific policy intelligence for the health care sector delivered to your inbox.


The cybercriminals, which appear to be based in Eastern Europe, are specifically targeting U.S. hospitals and health care providers. The agencies urge those in the health care field to take precautions to protect their networks from these threats — which often leads to ransomware attacks, data theft and the disruption of health care services.

Trickbot malware developers have recently created new functionality and tools to increase the efficiency of the cyberattack system. It started as a banking trojan and now provides its operators with a full suite of tools to conduct cybercrime and allow for the harvest of credentials, accessing of emails, cryptomining, exfilitrating at point-of-sale and deployment of ransomware, such as Ryuk. The FBI began to observe new Trickbot modules in 2019 that were designed to target high-profile victims, such as large corporations. Trickbot developers created anchor_dns, which is a tool for sending and receiving data from victims’ machines using Domain Name System (DNS) tunneling. The DNS tunnel is a backdoor that allows cybercriminals to communicate with command and control servers and blend in with typical email traffic and evade network defense systems.

The initial Ryuk ransomware attack is often launched via phishing emails or through an open remote desktop protocol (RDP) port, which then results in the theft of personal data and credentials before data is encrypted and payments are demanded, according to the health law firm Hall Render.

For health care organizations, an attack of this nature can directly impact patient care and prevent health care providers from performing critical health care operations, reads a Hall Render report.

It advises health care companies to actively monitor their network for signs of unusual activity and data exfiltrations, seek evidence of Trickbot or Emotet, encrypt data to the greatest possible extent, regularly backup data, ensure all applications have been updated and patched for vulnerabilities, implement software to filter and block suspicious emails, disable RDP ports and remember that telemedicine and other remote site access points are at risk, so use multi-factor authentication, backup systems, control access and monitor access logs.