Universal Health Services (UHS), which operates circa 400 healthcare facilities in the UK and US, has confirmed it has suffered a massive cyberattack.
According to employees, the organization’s computer systems have been locked and access to phone systems also affected. Although the precise nature of the attack has not yet been confirmed, all signs point to a ransomware infection.
One individual with direct knowledge of the situation explained that affected UHS computers began to serve up text that referred to “shadow universe” – a hallmark of Ryuk ransomware, operated by Russian cybercriminal syndicate Wizard Spider.
“Everyone was told to turn off all the computers and not to turn them on again. We were told it will be days before the computers are up again,” they said.
Despite the outages and temporary switch to “offline documentation methods”, UHS insists that “patient care continues to be delivered effectively”.
UHS ransomware attack
The ransomware is said to have taken hold over the weekend, potentially after an extended period laying dormant in UHS systems, but the organization claims to have a handle on the situation.
“The IT Network across Universal Health Services (UHS) facilities is currently offline, due to an IT security issue,” explained the firm in a statement.
“We implement extensive IT security protocols and are working diligently with our IT security partners to restore IT operations as quickly as possible. In the meantime, our facilities are using their established back-up processes.”
The firm also asserts that no patient or employee data has been accessed, copied or misused, which is surprising given the proclivity of ransomware operators to exfiltrate data before encrypting IT systems, to use as leverage.
Hospitals have become an increasingly popular target for cybercriminals, due to the high volume of personally identifiable information (PII) in storage, as well as the high stakes nature of the industry.
For example, hackers recently launched a ransomware attack on a German hospital, leading to the death of a woman who had to be rerouted to a separate facility 20 miles away. The incident is being treated as a homicide.
Another hospital in the Czech Republic was forced to suspend operations and shift patients to an alternative facility after an attack.
Some ransomware operators pledged not to target healthcare facilities at the height of the pandemic, during which period hospitals were overwhelmed with an influx of patients. Other malicious actors, including Ryuk, offered no such promises.
We will update this article as new information emerges.