On Sunday night, September 27th, reports of a possible ransomware attack began to appear on Reddit from people who work for Universal Health Service (UHS), a company operating over 400 healthcare facilities in the US and the UK. Some of the employees reported that files were being renamed using the file extension “.ryk” which has been associated with the Ryuk ransomware in the past. Another report described the ransom demand in a file named “RyukReadMe.html” that contained email addresses on the protonmail.com service to communicate with the attackers. Affected hospitals are across the US including in California, Florida, Texas, Arizona and Washington, D.C., where hospital employees report that phones and critical computer systems providing patient information including old labs, EKGs and radiology studies are down. According to some reports, employees were told to shut down all systems to block the attackers from gaining control of more computers. UHS has made no official statement yet regarding the attack.
Many ransomware attacks begin through a phishing email or remote access to one workstation exposed to the Internet, and then attackers expand their control through theft of administrator credentials and moving laterally to other workstations or servers. A major concern recently has been the critical vulnerability known as ZeroLogon, or CVE-2020-1472, which was partially fixed by the August 2020 patch from Microsoft. If the August patch has not been applied to Domain Controllers in a Windows network, this vulnerability gives attackers a fast and simple way to completely take over the domain from anyone computer that they have access to. While an attack that shuts down operations at one or two facilities is bad, this type of attack that affects hospitals across the country all at once is exactly what could happen if an attacker recklessly exploits such a vulnerability. Whether the UHS system has been affected by this or not, it is wise for all companies to verify that the August patches from Microsoft have been fully rolled out to all Domain Controllers.