A tidal wave of ransomware attacks is inundating the U.S., exploiting a lack of cyber resilience at many of the country’s bedrock institutions.

Key Points:

  • A ransomware strike has crippled UHS, an $11.4 billion Pennsylvania-based health system.
  • Other healthcare institutions, schools and even the U.S. electoral system are being targeted by ransomware.
  • Such highly IT-dependent organizations clearly need to ratchet up their cyber resilience with top-notch preventive security controls combined with comprehensive backup and recovery plans.

A tsunami of ransomware attacks is swamping the U.S., threatening many of the country’s bedrock institutions.

The most recent strike was against Universal Health Systems (UHS), an $11.4 billion Pennsylvania-based health system that operates around 400 healthcare facilities throughout the U.S. and overseas. The hospital network confirmed to the Associated Press that all 250 of its U.S. facilities were infiltrated.[1]

Media reports based on UHS employee interviews indicate that the Ryuk ransomware was used to encrypt the hospital network’s systems. This type of ransomware is often used to penetrate large enterprises and government agencies. An attack typically begins with a phishing email that aims to trick employees into downloading malware that installs keyloggers to steal employee credentials. These are then used to steal sensitive information and install the ransomware.[2]

A week earlier, University Hospital in Newark, New Jersey was reportedly also victimized by another type of ransomware known as SunCrypt. In this instance, the 500-bed, state-owned teaching hospital suffered a massive breach of 48,000 documents, including patient records that contained personally identifiable information such as Social Security numbers.

Research Shows Email Phishing Attacks Hit 90% of Healthcare Organizations

“Despite data showing that the healthcare industry has a strong, dedicated cybersecurity approach in place, it continues to be a main point of attack for cybercriminals,” notes Matthew Gardiner, a cybersecurity strategist at Mimecast. He says a recent Mimecast study found that 90% of healthcare organizations were hit by email borne attacks during the past year, and that nearly three out of four experienced disruptions and downtime as a result.

Ransomware Attacks Also Target Schools and Election Systems

This latest wave of ransomware is engulfing public institutions as well. For instance, The Wall Street Journal reports that in late August, after officials refused a ransomware demand, a hacker published documents containing Social Security numbers, student grades and other private information stolen from the Clark County School District in Las Vegas.[3] The release of sensitive information affected about 320,000 students – and was merely the latest in a steady stream of ransomware attacks on public school districts that have escalated since the start of the COVID-19 pandemic.

Perhaps more ominously, The New York Times reports that within days of the UHS attack, Tyler Technologies, a Texas company that sells software used by cities and states to display election results, was also hit by ransomware.[4] This was the latest of nearly a thousand such attacks over the past year against small towns, big cities and the contractors who run their voting systems. While the company does not actually tally votes, its software is used by election officials to aggregate and report them in at least 20 places around the country.

Attacks like the one on Tyler have been an abiding fear of cybersecurity experts at the U.S. Department of Homeland Security, who worry that cybercriminals will use ransomware to lock up the voter registration databases maintained by states.[5] This has led the FBI to warn that the days following the November election could result in “disinformation that includes reports of voter suppression, cyberattacks targeting election infrastructure, voter or ballot fraud, and other problems intended to convince the public of the elections’ illegitimacy.”[6]

The pandemic’s onset has intensified the crisis. Taking advantage of the general confusion and rise in online activity that have accompanied the contagion, cybercriminals have stepped up their onslaught. The FBI reports that the number of reported cyberattacks has risen to 4,000 a day — a 400% increase from the pre-COVID level. Ransomware attacks have increased even more — 800% during the course of the contagion.[7]

‘Pretty Good’ Security Not Good Enough

 “One thing that has become clear,” says Mimecast’s Gardiner, “is that ‘pretty good’ security, resilience and business continuity practices are not sufficient. It is absolutely critical that all highly IT-dependent organizations have top-notch preventive security controls, combined with backup and recovery systems and business continuity capabilities that are ready to go at a moment’s notice.”

Having to take down a critical system or move to a pen-and-paper-based operation in the wake of an attack, he adds, are signs that the targeted organization fell short in terms of implementing cybersecurity best practices.

“They should have a comprehensive backup and recovery plan in place to ensure that their data is protected and recoverable should a system go down,” Gardiner explains. “They should provide consistent cybersecurity awareness training so that their employees are alert to and prepared to thwart a potential attack.”

The FBI has published a list of best practices to help organizations improve cyber resilience and head off a ransomware attack.[8] These include:

  • Regularly scrubbing and storing data offline
  • Minimizing data access wherever possible
  • Training employees to be security ‘aware’
  • Patching all vulnerabilities as they are discovered
  • Whitelisting applications

The Bottom Line

To contend with the surge of ransomware now inundating the U.S., institutions including hospitals, schools and government agencies must be better prepared. These organizations need to improve their cyber resilience with best-of-breed security controls, comprehensive backup systems and consistent cyber awareness training to help employees recognize and thwart an attack.

 

[1]Hacked hospital chain says all 250 US facilities affected,” Associated Press

[2]Ryuk Ransomware—Malware of the Month, January 2020,” Security Boulevard

[3]Hacker Releases Information on Las Vegas-Area Students after Officials Don’t Pay Ransom,The Wall Street Journal

[4]Ransomware Attacks Take on New Urgency Ahead of Vote,The New York Times

[5]The Cybersecurity 202: Ransomware attack against the 2020 election could disrupt statewide voting databases,” The Washington Post

[6]Foreign Actors Likely to Use Online Journals to Spread Disinformation Regarding 2020 Elections,” FBI & CISA

[7]Top Cyber Security Experts Report: 4,000 Cyber Attacks a Day Since COVID-19 Pandemic,” PR Newswire

[8]High-Impact Ransomware Attacks Threaten U.S. Businesses and Organizations,” FBI

Want more great articles like this?Subscribe to our blog.

Get all the latest news, tips and articles delivered right to your inbox

You may also like:

Ransomware Death Paints an Ugly Future for Cyber Crossfire Liability

Civilian lives are at risk as critical n…

Civilian lives are at risk as critical national infrastructu… Read More >

Richard Botley

by Richard Botley

Senior Security Writer

Posted Sep 24, 2020

More than Meddling: Phishing Email Scams Exploit Political Brands

Businesses now face growing risk from ph…

Businesses now face growing risk from phishing email attacks… Read More >

Mike Azzara

by Mike Azzara

Contributing Writer

Posted Sep 23, 2020

Managing Security with a Lean Team

Post-Covid security teams are lean, and …

Post-Covid security teams are lean, and getting leaner. To m… Read More >

Bill Camarda

by Bill Camarda

Contributing Writer

Posted Sep 10, 2020