The FBI believes either Wizard Spider or UNC1878 is behind recent hospital cyberattacks.
The Federal Bureau of Investigations (FBI) has announced it is investigating claims that Eastern European criminals are targeting dozens of U.S. hospitals with ransomware with recent cases reported in Oregon, California and New York. Insiders believe the group behind the attacks is either the Wizard Spider or UNC1878. Government officials are now urging hospitals to make sure their backup systems were in order, disconnect systems from the internet if possible, and avoid using personal email accounts while in the facilities.
A doctor at one hospital indicated they were using only paper after an attack and have been unable to transfer patients due to the hospital’s location. “We can still watch vitals and getting imaging done, but all results are being communicated via paper only,” the doctor said.
“This appears to have been a coordinated attack designed to disrupt hospitals specifically all around the country,” said Allan Liska, a threat intelligence analyst with Recorded Future. “While multiple ransomware attacks against healthcare providers each week have been commonplace, this is the first time we have seen six hospitals targeted in the same day by the same ransomware actor.”
It seems attacks are at an all-time high. “Ransomware attacks have jumped 50% over the past three months,” security firm Check Point announced, “with the proportion of polled healthcare organizations impacted jumping to 4% in the third quarter from 2.3% in the previous quarter.”
If UNC1878 is behind the hospital attack, it won’t be the first time this group has attempted to sabotage U.S.-based companies. “UNC1878 is one of the most brazen, heartless, and disruptive threat actors I’ve observed over my career,” said Charles Carmakal, senior vice president of Mandiant. “Multiple hospitals have already been significantly impacted by Ryuk ransomware and their networks have been taken offline.”
Stefan Tanase, a cybercrime analyst, added, “What we are seeing here is confirmation that the reports of the Trickbot takedown were greatly exaggerated.”
In mid-October, the FBI also issued the following announcement regarding cybercrime, “On October 15, 2020, a federal grand jury sitting in the Western District of Pennsylvania returned an indictment against six Russian military intelligence officers for their alleged roles in targeting and compromising computer systems worldwide, including those relating to critical infrastructure in Ukraine, a political campaign in France, and the country of Georgia; international victims of the ‘NotPetya’ malware attacks (including critical infrastructure providers); and international victims associated with the 2018 Winter Olympic Games and investigations of nerve agent attacks that have been publicly attributed to the Russian government. The indictment charges the defendants, Yuriy Sergeyevich Andrienko, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, Anatoliy Sergeyevich Kovalev, Artem Valeryevich Ochichenko, and Petr Nikolayevich Pliskin, with a computer hacking conspiracy intended to deploy destructive malware and take other disruptive actions, for the strategic benefit of Russia, through unauthorized access to victims’ computers. The indictment also charges these defendants with false registration of a domain name, conspiracy to commit wire fraud, wire fraud, intentional damage to protected computers, aggravated identity theft, and aiding and abetting those crimes. The United States District Court for the Western District of Pennsylvania issued a federal arrest warrant for each of these defendants upon the grand jury’s return of the indictment.”