Charles Carmakal from cybersecurity firm Mandiant identified the group behind the threats as Russian-speaking criminal gang UNC1878. He called the group “one of most brazen, heartless, and disruptive threat actors” he’s ever seen and said it’s been deliberately targeting hospitals in the middle of a global pandemic. Coronavirus cases and deaths have been on the rise in the US, reaching record numbers these past few days.
According to the authorities’ advisory, the attackers are using the Trickbot malware to deliver Ryuk ransomware to victims’ networks. Ryuk first appeared in 2018 and has become one of the most notorious ransomware since then — just last month, it was used in the attack against Universal Health Services, forcing facilities to redirect patients to other hospitals. Some providers like the Sonoma Valley Hospital in California and the St. Lawrence Health System in New York were hit by ransomware attacks this past week, but it’s unclear if they’re part of this particular campaign. Holden says the cybercriminals demanded $5 to $10 million in payment, or double the amount they used to ask just a few months ago.
In their advisory, the authorities advise against paying ransom as it may “embolden adversaries to target additional organizations” and “encourage other criminal actors to engage in the distribution of ransomware.” They’re encouraging healthcare providers to patch their systems as a precautionary measure or to contact the FBI and other authorities if their networks had already been infected.