Emotet malware strikes in a cyber attack

UHS Cyber Attack and the Rise of Ransomware

The major hospital and health care network Universal Health System was hit by potentially the largest cyberattack in U.S. history so far.

The computer infrastructure of Universal Health Systems (UHS) showed signs of failure on Sunday morning throughout the United Kingdom, Puerto Rico and the United States. The attack took down UHS’ network cross the United States. As the situation worsened patients have been moved to different rooms and facilities. Appointments and test results were also delayed as a consequence of the attack.

The attack encouraged one the UHS hospitals to move towards an all paper filing system, according to some individuals familiar with the situation. UHS operates more than 400 hospitals and facilities with over 90,000 employees.

The fortune 500 company said that there was no evidence that patient or employee had been misused, stolen or copied. Bleeping Computers, the online publication that first reported on the attack, spoke to employees who determined the ransomware attack had the tell-tale signs of the Ryuk virus.

What is Ryuk Ransomware?

Justin Heard, Director of Security, Intelligence and Analytics at Nuspire, noted that up until recently, Ryuk was used solely to target financial services, but over the last several months Ryuk has been seen targeting manufacturing, oil and gas, and now healthcare.

Ryuk is a type of ransomware that uses encryptions to cut off access to systems, files, and devices until the victim pays ransom. The ransomware is placed in a system by other types of malware.

The most common is TrickBot, however Ryuk can also gain access through Remote Desktop Service.

The Ryuk ransomware takes payments through Bitcoin and instructs victims to deposit the money in a particular Bitcoin wallet. The demand is usually between $100,000-$500,000 in Bitcoin depending on the conversion price of the cryptocurrency.

Once installed, the Ryuk malware spreads through the network infecting as many servers as it can.

The Ryuk Attack

An employee told Bleeping Computer that, during the cyberattack, files were being renamed to include the .ryk extension. This extension is used by the Ryuk ransomware, reports BleepingComputer. “Another UHS employee told us that one of the impacted computers’ screens changed to display a ransom note reading “Shadow of the Universe,” a similar phrase to that appearing at the bottom of Ryuk ransom notes. Based on information shared with BleepingComputer by Advanced Intel’s Vitali Kremez, the attack on UHS’ system likely started via a phishing attack,” BleepingComputer says.

An employee of UHS told Bleeping Computer that files were being renamed to include the .ryk extension as the cyber-attack took place. Based on information provided to Bleeping Computers the attack on UHS’ system began as a phishing attack.

Many health care workers posted notes about the situation at various Universal Health facilities in a Reddit thread. One in Florida noted that it was “a hot mess in the ER today.” Ambulances with heart patients were being diverted because the facility’s catheterization lab was down, the person posted.

Another nurse in a facility in North Dakota said computers slowed down and then didn’t turn on Sunday morning.

Ransomware & Medical Facilities

Hospitals are high valued targets for cyber attackers because they hold incredibly valuable personal information that can be sold on the dark web or used as leverage for a ransom payment.
A ransomware bug called WannaCry was used in 2017 to target Microsoft Window’s operating system at the time. It spread through an exploit named EternalBlue and reached the U.K.’s National Health System.

The WannaCry ransomware impacted 80 medical facilities although there were no reported deaths as a result.

Hospitals are the perfect target for threat actors because they rely on critical and immediate care to assist patients in need. That means solutions and treatment are time sensitive and dependent on drug history and other medical information to proceed. Without this information patients can suffer or die. This makes hospitals likelier to pay a ransom instead of risking lives by delaying.

Ransomware and other Businesses

Hospitals are not the only industries suffering from malware. We’ve covered cases of schools, businesses and entire cities being impacted by ransomware attacks.

In October, 2019 the technology company Pitney Bowes, was attacked by malicious ransomware. Its shipping and mailing services were compromised and disrupted client access to their services.
Ransomware is a growing problem as over 140 attacks were reported in 2019 targeting state and local governments as well as health care providers like UHS.

As we’ve shown, hospitals and the health services industry are prime targets but are not the only targets. For this reason many businesses are adopting Managed IT services to help deal with this rise in cybercrime.

Emotet Malware

In July 2020 there was a rise in Emotet malspam campaigns. Emotet is a banking malware that infects systems to try and steal sensitive financial information.

The Emotet Malware was first identified in 2014. It was originally just a banking malware. However, later versions were designed to include spamming and malware delivery services. This made it more dangerous and easier to spread.

These campaigns infected victims with Trickbot and Qbot malware. If you’ve been paying attention, you’ll recognize TrickBot malware from earlier.

Emotet is a Trojan that spreads mainly through spam emails. These malicious emails might take on the disguise of legitimate emails. As a result they often persuade users to click on a link or button.
That’s how most likely how the UHS attack took place. As we’ve seen with Emotet, these ransomware attacks only get more sophisticated and more popular as their success rate increases.
Ransomware has become the most popular form of attack growing 350 percent since 2018. What’s more, ransomware from phishing emails like Emotet have increased by 109 percent since 2017.

What should be Done?

There are researchers that are calling for a ban on paying ransomware. However, that recommendation is controversial and not mainstream. They argue that refusing to pay ransomware reduces any incentive a hacker might have and will reduce the rise of malware hacks.

This solution doesn’t address the fact that hackers who gain access to company data can still use it.  Cyber attackers can sell it on the black market, or continue to freeze should the ransom remain unpaid.

The only real solution so far is to educate and train employees as much as possible to avoid malicious or fraudulent email scams.  IT services companies often play a role in educating their clients on these matters but it falls on the business to teach personnel of the risks.  IT consulting can benefit many smaller and medium sized companies who aren’t equipped with the appropriate tools needed to combat these threats.

Even the most dedicated cyber security team with the most sophisticated digital tools will mean nothing if an employee opens the wrong email, clicking on an infected link. Companies that don’t dedicate the time to training their employees turn them into liabilities and the more vulnerable your employees, the more vulnerable the company.