29 September 2020

Healthcare provider UHS hit by a ransomware attack


Healthcare provider UHS hit by a ransomware attack

Universal Health Services (UHS), one of the largest healthcare providers in the U.S. that has 400 hospitals and healthcare facilities in the U.S. and the U.K has reportedly been hit by a ransomware attack.

The attack that took place last Sunday has forced the IT stuff to shut down computer systems to prevent the propagation of the threat on all devices. Due to the incident the UHS’ employees in facilities in California, Florida, Texas, Arizona, and Washington D.C have been left without access to computers and phone systems. As a result, the impacted hospitals had to redirect ambulances and patients in need of the surgery to nearby hospitals.

In a short statement UHS has confirmed the cyber attack, but has not released any details regarding the incident. According to multiple reports from UHS’ employees, systems at some of the UHS hospitals rebooted displaying a ransomware note.

“I have worked at a UHS facility in the SE US for over 7yrs and on Sunday morning at approx 2AM systems in our ED just began shutting down. I was sitting at my computer charting when all of this started. It was surreal and definitely seemed to propagate over the network. All machines in my department are Dell Win10 boxes. When the attack happened multiple antivirus programs were disabled by the attack and hard drives just lit up with activity. After 1min or so of this the computers logged out and shutdown. When you try to power back on the computers they automatically just shutdown,” according to one of the reports. “It was an epic cluster working "old school" last night with everything on paper downtime forms. It is true about sending patients away (called EMS diversion) but our lab is functional along with landlines. We have no access to anything computer based including old labs, ekg's, or radiology studies. We have no access to our PACS radiology system.”

Another report said that when the attack started “multiple antivirus programs were disabled by the attack and hard drives just lit up with activity.”

Some reports posted online revealed that the ransomware added the “.ryk” extension to the filenames of encrypted documents, which suggests the involvement of the Ryuk ransomware. Ryuk is a ransomware strain believed to be linked to a Russian cybercrime group, known as Wizard Spider. The Ryuk operators have been quiet for months, but have recently returned to their normal activity.

Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024