Just over a month after suffering a ransomware attack, Universal Health Services (UHS) has managed to restore most of its affected systems. The attack took place on September 27th and forced UHS to shut down all systems in an attempt to prevent the ransomware from spreading to even more systems.
“While our information technology applications were offline, patient care was delivered safely and effectively at our facilities across the country utilizing established back-up processes, including offline documentation methods.”
All major applications and systems, including medical records, have been brought back online within hospitals and corporate environments. While the backup restoration is not yet completed, hospitals have returned or are now returning to normal operations. UHS has worked with internal IT teams and third-party forensic and security vendors to investigate the impact of the attack.
Official statements from UHS have not named the ransomware family involved in the incident, though employees told BleepingComputer that files were being renamed with the “.ryk” extension and displayed ransom notes similar to those known to belong to Ryuk.
Ryuk has been, in the past, most commonly deployed by Trickbot, which is typically dropped by Emotet. According to Vitali Kremez, Advanced Intel was able to detect Emotet and Trickbot on UHS systems throughout 2020 and even in September. Most recently, Ryuk has been deployed after a BazarLoader/BazarBackdoor initial infection enables a Cobalt Strike Beacon deployment, escalation, and lateral movement to achieve domain control, and then attackers use IT automation tools to deploy Ryuk broadly throughout an enterprise network. To protect against Emotet, Trickbot, Baza, and their subsequent infections, organizations should provide employees with security awareness training centered around phishing attacks and use email threat screening. Catching malware that makes it past watchful employees requires endpoint security monitoring with a skilled team of security analysts who can recognize attacker behaviors and quickly respond to stop them. Binary Defense provides managed security services including monitoring of EDR and SIEM systems 24 hours a day, 7 days a week. To prevent loss of data during a ransom attack, use the 3-2-1 rule as a guideline for backup practices. Three copies of all critical data should be retained on at least two different types of media and at least one of them should be stored offline.