Universal Health Services (UHS) hospitals was allegedly hit by a Ryuk ransomware cyberattack, some sources say.
UHS, a Fortune 500 hospital and healthcare services provider, has reportedly shut down its systems in US healthcare facilities after a security incident early Sunday morning.
UHS, operates over 400 healthcare facilities in the US and the UK. The company also has more than 90,000 employees and more than $11 billion in revenues in 2019.
The company provided a brief statement on the incident Monday, September 28:
The IT Network across Universal Health Services (UHS) facilities is currently offline, due to an IT security issue.
We implement extensive IT security protocols and are working diligently with our IT security partners to restore IT operations as quickly as possible. In the meantime, our facilities are using their established back-up processes including offline documentation methods. Patient care continues to be delivered safely and effectively.
No patient or employee data appears to have been accessed, copied or misused.
UHS statement
Ransomware attack
According to Bleeping Computer, some anonymous UHS employees posted information on social media about the alleged security incident on Sunday.
“When the attack happened multiple antivirus programs were disabled by the attack and hard drives just lit up with activity,” one poster by the name compdog explained in a Reddit post.
Another person said that “all UHS hospitals nationwide in the US currently have no access to phones, computer systems, internet, or the data center.”
Others also reported files being renamed with the ‘.ryk’ extension, which would likely suggest use of Ryuk ransomware.
Although UHS did not confirm any of the details from the incident as highlighted in social media posts, the incident likely shows signs of a carefully planned ransomware attack.
Many ransomware attacks originate from phishing attacks, where attackers gain a foothold on the network via a compromised system.
Earlier this month, Equinix, a leader in global colocation data centers, disclosed it experienced a ransomware incident that affected internal systems.
This incident also comes after multiple other high profile ransomware attacks this year, such as those at Carnival, Canon and Garmin, to name just a few.
Researchers at FireEye also discovered links between the FIN6 cyber criminal group and LockerGoga and Ryuk ransomware used in previous ransomware attacks last year.
At that time, FIN6 was previously linked to payment card data theft until the group expanded its weapons arsenal with ransomware.