As cases continue to rise from the coronavirus pandemic, hackers are targeting health care systems.
US officials are warning hospitals to expect a wave of ransomware attacks soon, urging health care providers to take precautions to protect themselves before the hacks hit.
In a joint warning from the FBI, the Cybersecurity and Infrastructure Security Agency and the Department of Health and Human Services on Wednesday night, the agencies said the Russian botnet Trickbot is targeting health and public services with ransomware attacks.
The malware encrypts computers and prevents victims from being able to use them unless they pay the ransom. The ransom demands are often expensive, but it can be even more costly for victims who don't pay. When the city of Atlanta suffered a ransomware attack in 2018, it paid $2.6 million to recover from it, while the ransom itself was $52,000. In Germany, a patient died because a ransomware attack in September infected the nearest hospital when she needed urgent medical care.
The attacks are now expected to hit hospitals in the US as another wave of coronavirus infections arrives.
"CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to US hospitals and health care providers," the agencies said in their warning.
The ransomware is being delivered through Trickbot, one of the largest botnets in the world. It's operated by Russian cybercriminals, and is also used for other hacks including cryptomining and financial data theft.
Microsoft and other cybersecurity companies briefly took down the botnet through a court order, but it resurfaced within days.
The agencies said that the ransomware strain being used is likely Ryuk, a highly infectious ransomware attack that's been active since 2018. The malware quietly plants itself within a network to get as much access as possible before launching, sometimes shutting down security systems that would have protected victims.
Cybersecurity company SonicWall said there was a 40 percent rise in ransomware attacks this year, with a massive spike in September. The US saw 145.2 million ransomware hits, a 139% rise from last year, the researchers said. The Ryuk ransomware strain made up a third of all ransomware attacks this year.
At this same time last year, SonicWall said it only detected 5,123 Ryuk infections, compared to 67.3 million infections this year.
"The increase of remote and mobile workforces appears to have increased its prevalence, resulting not only in financial losses, but also impacting health care services with attacks on hospitals," SonicWall's vice president of platform architecture, Dmitriy Ayrapetov, said in a statement.
The Ryuk ransomware was behind the attack on Universal Health Services, which has 400 hospitals in the US and the UK, and it's also targeted several cities. The attacks come at a time when hospitals are expecting to care for more coronavirus patients. On Oct. 24, the US set a single-day record with more than 83,000 new coronavirus infections.
The attacks could force US hospitals to divert patients who need critical care and could increase wait times, said Charles Carmakal, chief technology officer of FireEye's Mandiant unit.
"We are experiencing the most significant cybersecurity threat we've ever seen in the United States," Carmakal said. "Multiple hospitals have already been significantly impacted by Ryuk ransomware, and their networks have been taken offline."
The FBI, CISA and HHS are encouraging health care providers to set up backup plans in case they're hit with a ransomware attack. Hospitals should back up critical information like patient records and store them offline and separated from their main network.
They should also patch their software as soon as possible, disable unused remote desktop access and regularly change passwords, along with using multifactor authentication for protection, the agencies said.
If hospitals do suffer a ransomware attack, the agencies recommend against paying the costs. The payments don't guarantee that a hospital will be back online, and it could also encourage cybercriminals to launch future attacks.
Correction, 4:45 p.m. PT: This story incorrectly described the ransom amount relative to what it cost Atlanta to recover from the ransomware attack.