The criminals have demanded a ransom ranging upward of $1 million to unlock the system, and some hospitals have paid, they said.
On Tuesday, the FBI, the Department of Homeland Security and the Department of Health and Human Services issued a joint advisory alerting health-care providers to the threat.
“The events unfolding right now have the potential to cause the loss of life, potentially across multiple hospitals,” said Charles Carmakal, chief technology officer for Mandiant, a cybersecurity firm, which has helped some of the hospitals affected try to recover their data.
The cybercriminals have been discussing their intent to target hundreds of U.S. health-care organizations, said Alex Holden, chief information security officer and president of Milwaukee-based Hold Security. One of those hospitals alone has more than 60 locations in the country, he said.
The criminals, who operate out of Eastern Europe, are not targeting election-related infrastructure in this campaign, the analysts said. But they are known to have gone after other targets, including state and local government networks.
In recent weeks, Microsoft and U.S. Cyber Command, the Pentagon’s offensive cyberunit, in separate campaigns sought to disrupt the criminals by dismantling the network of infected computers they used to deploy Ryuk. One goal, Microsoft and U.S. officials said, was to prevent the “botnet” from being used to deliver damaging ransomware that could lock up voter registration and other systems in the lead-up to the election.
But the criminals behind that botnet, known as Trickbot, have mostly moved to a new set of infected computers, analysts said. Microsoft said earlier that it expected the criminals to try to rebuild their network.
Though criminals have been deploying ransomware against hospitals since the beginning of the pandemic, having one group hit six separate hospital organizations in 24 hours is a step up in tactics, said Allan Liska, intelligence analyst at the cyberfirm Recorded Future. “If they can do this to six hospitals, there’s no reason they can’t do this to a dozen,” he said. “That means that patient care could be seriously impacted and people could die from something like that.”
A woman in Germany died last month when the hospital she went to for emergency care turned her away because it had suffered a ransomware attack. She died en route to another facility. It is unclear whether Ryuk was involved in that case, which is said to represent the first death linked to ransomware.
The attacks have shut down some procedures at Sky Lakes Medical Center in Klamath Falls, Ore., spokesman Tom Hottman said. The hospital is unable to offer cancer treatments that are computer-controlled, and the attack has curbed some diagnostic imaging as well. Doctors and nurses have turned to paper for patient records with the electronic system offline, Hottman said.
The ransomware attack on the hospital was detected early Tuesday morning, and staff were told to shut down their computers to slow the spread of the malware, he said. A cybersecurity firm arrived Wednesday afternoon at the hospital, Hottman said.
“It’s an evolving situation,” he said.
Sonoma Valley Hospital in Sonoma, Calif., was also infected, said people familiar with the matter. In a statement, the hospital, which acknowledged a cyberattack but did not specify ransomware, said it was “maintaining operations while computer systems are being fully restored.”
Likewise, St. Lawrence Health System in Potsdam, N.Y., was hit Monday, according to WWNY television. The hospital disconnected its computer systems to prevent the malware from spreading.
Correction: This story was updated to say the ransomware attack on Sky Lakes Medical Center was detected early Tuesday morning.