Ryuk Ransomware Attack Hits Major Universal Health Services Hospital Chain

Universal Health Services corporate offices, King of Prussia, PA (US)

Universal Health Services (UHS), a major provider of hospital and healthcare services with over 400 facilities across the US, Puerto Rico and the UK, has been hit with a large-scale cyberattack. Based on reports from several UHS employees, Ryuk ransomware operators are the likely culprits.

How the Ransomware Attack Unfolded

The attack started early on Sunday morning, when all of a sudden “systems just began shutting down”. This is what a UHS employee posted on Reddit. Multiple antivirus programs were disabled by the attack and “hard drives just lit up with activity”. Everyone was told to turn off all devices and not to turn them on again.

Both computer and phone systems were knocked offline in at least 80 UHS facilities across the US, including California, Las Vegas, Florida, Texas, Arizona, Georgia, North Dakota, and Washington D.C. UHS, a Fortune-500 company, also has facilities in Puerto Rico and the UK. However, at the moment, no UHS facilities in those countries are affected.

Information coming directly from employees seems to point to Ryuk ransomware. For instance, one worker said encrypted files were appended with the .RYK extension, pointing to a virus from the Ryuk ransomware family. Ruyk is also designed to create a text file including a ransom note. The ransom amount of USD50 million in Bitcoin, circulating on Reddit comments about the attack, has not yet been confirmed.

“Patient Care Delivered Safely”

In a brief official statement issued on Monday, UHS said that their IT network was offline due to an IT security issue. The healthcare service provider is working with IT security partners to restore IT operations as quickly as possible. UHS confirms that patient care continues to be delivered safely and effectively. Moreover, it appears that no patient or employee data has been accessed.

In the meantime, however, UHS’s facilities in the US are using back-up processes including “offline documentation methods”, which one assumes means pen and paper. Affected hospitals are also redirecting ambulances and relocating certain patients to other, nearby hospitals. According to the healthcare provider’s website, UHS treats approximately 3.5 million patients each year.

“We have no access to anything computer based, including old labs, EKG’s, or radiology studies”, another Reddit user said just yesterday. A nurse posting on the same forum wrote that she had to handwrite all her notes and look through charts for each treatment goal. “It was a nightmare.” Another nurse commented: “Our medication system is all online, so that’s been difficult.”

Big Game Hunters

Despite promises to halt cyberattacks on healthcare organizations and hospitals during the Covid-19 crisis, this is the second attack on a hospital this month. On September 10, a ransomware attack hampered emergency services at a large University Hospital in Düsseldorf, Germany. In this case, however, the cybercriminals had made a mistake. They had intended to attack a University also located in the city of Düsseldorf. As soon as they were made aware of the error, the cybercriminals aborted the attack.

Notably, Ryuk’s operators have not make the same pledge as a number of other ransomware operators, such as CLOP, Maze, and DoppelMayer. Moreover, Ryuk operators are known as “big game hunters”, who target large organizations and government institutions. The attack on UHS seems to be the largest of its kind on a medical facility.

Unfortunately, the healthcare sector is an easy target for cybercriminals. There is likely to be a shortage of resources and most healthcare organizations work with legacy systems. Furthermore, currently there is a lot of pressure on hospitals and healthcare workers because of Covid-19. It is not yet known when UHS’s systems will be fully restored.

IT communication specialist
Sandra has many years of experience in the IT and tech sector as a communication specialist. She's also been co-director of a company specializing in IT, editorial services and communications project management. For VPNoverview.com she follows relevant cybercrime and online privacy developments. She rigorously tests the quality of VPN services using VPNOverview.com's dedicated VPN testing protocol that has been finetuned and optimized over the years.