The Uptick in Ransomware Attacks Against US Hospitals

Ransomware Attacks Against US Hospitals


Hackers are targeting US hospitals in a wave of Ryuk ransomware attacks.

Law enforcement agencies have warned of an increased and imminent cyber threat to US hospitals by hackers targeting 400 hospitals.

These cyberattacks have forced hospital staff to turn to manual recordkeeping while computer systems and networks are shutdown.

In addition, Internet-connected devices may be ino

perable, which means patients may need to be moved to other facilities.

Patients brought to the ER may need to be diverted to other hospitals during these shutdowns.

Law enforcement agencies advise the hospitals to refuse to pay the ransom to discourage incentivizing further attacks.

Understandably, hospital administrators are struggling with the ransom payment decision.

Cyber Threats to US Hospitals

Ransomware attacks have increased overall during the COVID-19 Pandemic due to the shift to remote work resulting in decreased cyber hygiene

More recently, in late October, we issued a Cyber Threat Alert to the healthcare industry about the warnings of an increased and imminent cyber threat to US hospitals, particularly from a group that uses the Ryuk ransomware variant.

In late October 2020, according to JD Supra, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) published Alert AA20-302A (Alert).

The Alert describes ransomware activity that has targeted the Healthcare and Public Health (HPH) sector. Hackers use a botnet known as TrickBot to insert Ryuk malware into a network to carry out ransomware attacks.

JD Supra highlighted Key Points:

Hackers have already attacked hospitals across four different states, and cybersecurity experts report that 400 American hospitals are on a list now shared amongst criminal organizations that utilize Ryuk ransomware.

Ransomware attacks on hospitals can have life and death consequences by delaying and denying essential medical services that require Internet-connections.

CISA Director Chris Krebs had three important messages for HPH stakeholders:

  1. All HPH personnel must assume the Ryuk ransomware is already inside your network.
  2. Executives must review and be ready to activate their business continuity plans.
  3. IT Departments should be patching, reviewing logs, and implementing multifactor authentication.

The Alert goes into depth on the technical details of the threat from the Ryuk ransomware and should be shared with hospital IT departments.

HPH stakeholders inside and outside of a hospital network need to recognize that attacks do not have to begin inside the hospital. Many ransomware attacks begin by breaching a trusted business partner, providing the gateway into the actual target's network.

The New York Times reported that officials and researchers did not name the hospitals affected in October. However, in California, Sonoma Valley Hospital reported that it was still trying to restore its computer systems after an intrusion. St. Lawrence Health System in New York confirmed that two of its hospitals, Canton-Potsdam and Gouverneur, were hit by ransomware attacks that caused them to shut down computer systems and divert ambulances. In Oregon, managers at Sky Lakes Medical Center instructed employees to shut down PCs after being crippled by a ransomware attack that froze electronic medical records and delayed surgeries.

Authorities have discovered a clear link to Russian hackers who held Universal Health Services hostage with ransomware in September 2020, impacting their extensive network of 400 hospitals – the most massive medical cyberattack to date.

According to Slate, a phishing email campaign used links to Google Drive documents that, once opened and enabled, would deliver Ryuk to the victims’ computers. While the Ryuk ransomware is not hosted in Google documents, the documents are used to direct viewers to download the malware from another source by tricking them into believing they are just “enabling” content in the Google Drive document. When victims click to enable that content they end up downloading the malware.

This campaign on American hospitals indicates that TrickBot developers were not deterred by recent attempts to stop them. Instead, they turned to other tools in their arsenal.

Many of us are shocked and dismayed by the relentless attacks on healthcare facilities during the Pandemic. Others believe that the bad actors will carry on with their lucrative business without any moral compass, hoping that some hospitals will pay the ransom.

Does paying the ransom end the ordeal?

Ryuk ransom demands are often in the hundreds of thousands of dollars.

While there are competing schools of thought on paying ransom demands, CISA and the FBI discourage victims from doing so. The ransom payments validate the economics of this criminal activity, which encourages more criminal activity.  Also, there is no guarantee that the victim will recover their data after paying a ransom.

Keep in mind that recently, cybercriminals copy the data before deleting or encrypting the victim's files, giving them leverage to demand additional payments under threat of publication of the copied, often sensitive data.

Two Unique Scenarios

Directly Extorting Patients in Finland

Politico reported that in late October 2020, hackers tried to blackmail tens of thousands of Finnish patients after gaining access to their medical records from therapy sessions, referred to as a "shocking" cyberattack by local political leaders.

In Finland, local media reported that the hackers carried out an email campaign to more than 40,000 patients who were victims of stolen data from the Vastaamo psychotherapy center. The cyber threat – to leak mental health records on to the Internet unless the patients paid a ransom in Bitcoin. Some of the patients are underaged (minors).

Mikko Hyppönen, chief research officer at Finnish cybersecurity company F-Secure, noted, "What we have here is someone who is completely devoid of sympathy for his fellow beings." He added: "Every single infosec professional in Finland is trying to find the attacker."

The center issued a press release indicating that the attackers obtained Vastaamo therapy center records dating back as early as November 2018 and likely extending through March 2019.

Prime Minister Sanna Marin tweeted that the hack was "shocking in many ways" and that the government is looking at ways to help victims.

The attackers started by leaking small amounts of patient data and sought to extort the center's management to pay a ransom. But over the weekend, the attackers changed their tactics, emailing tens of thousands of patients to pressure them to pay up as well.

The European Union Cybersecurity Agency ENISA in its annual Threat Landscape report last week flagged ransomware as one of the top 15 threats to European citizens in 2020. The European Cyber Crime Center singled out ransomware as a top threat in its annual report this month.

Patient Deaths

Death Linked to Cyberattack in Germany

In September 2020, according to the Associated Press, a woman in Germany died during a ransomware attack on the Duesseldorf University Hospital, in what may be the first death directly linked to a cyberattack on a hospital. Since the attack prevented the hospital from accepting emergency patients, they diverted a woman to a healthcare facility around 20 miles away, where she later died.

Reports indicate that the bad actors intended to attack a nearby university rather than the hospital. After authorities informed the hackers that they had shut down a hospital, they stopped the attack.

Wired reported that investigators are looking into several vulnerabilities.


Your healthcare organization requires a twofold approach: 1) Cyber defenses via cybersecurity protocols and 2) Stand-Alone Cyber Insurance.

Top Ten Cyber Defenses 
  1. Update All Systems and Available Patches 

As threats become more frequent and severe, regular system updates and patching are vital. Legacy systems that lack the latest security protocols are more vulnerable should be patched, if possible. 

  1. Establish a Cybersecurity Awareness Policy 

Develop a cybersecurity policy to ensure that your employees are aware of cyber threats. Prevent a single employee from becoming the gateway into your systems via a phishing email scam.

  1. Manage Login Credentials to Prevent Credential Stuffing

Cybercriminals are on the lookout for credential stuffing. LINK to Glossary When people reuse their login credentials on multiple systems and networks, those login credentials may be accessed by hackers looking for unauthorized access to new systems and networks. Passwords need to be unique, complex (a random combination of letters, numbers, and special characters), updated regularly, and stored offline, not on computers.

  1. Enforce Two-Factor Authentication (2FA) 

Security wins over inconvenience when it comes to your organization's data and financial assets. Implementing 2FA (aka dual controls) helps prevent fraudulent bank wires that may arise out of phishing or social engineering attempts. Dual controls can be accomplished by a phone call to the bank wire recipient, verifying the transaction with an executive, or implementing formalized procedures with a financial institution.

  1. Backup Databases

As a precaution, you should regularly backup essential data, such as customer lists and management systems, and critical data assets. If you can access your data from alternative hard drives or the cloud, you will be in a better position post-ransomware attack if your data is permanently locked or damages. Lengthy data recovery means increased costs, more prolonged business interruption, and a more significant impact on your reputation.

  1. Use Antivirus Software, Firewalls, and Ransomware Protection

Choose the best anti-virus software, ransomware protection software, and firewalls to prevent unauthorized access to your networks and computer systems.

  1. Prepare and Rehearse: Incident Response Plan (IRP)

You must plan (and pre-test) for a response during a cyber incident.

Most cyber insurance carriers offer first-party coverage for incident response costs and provide your organization with a suggested panel of incident response team members, including legal counsel, forensics experts, public relations, or crisis management experts. 

These out-of-pocket costs can be substantial if you do not have comprehensive Stand-Alone Cyber Insurance coverage. 

  1. Conduct Annual System Audits

Ensure your organization's management systems remain current, from your cybersecurity policies to essential data backups, to password management, to dual controls, and your IRP.

  1. Protect critical data and IP assets 

One solution involves data trust and the lateral movement of data. Limit access to critical data on a "need-to-know" basis rather than across the board. Like a security clearance, you should only give the keys to the castle to select employees.

Another solution involves information governance over access to certain types of information. Again, individual employees or teams may need data about a new product line that the rest of the organization does not need to access. However, a limited or restricted data access program does not solve potential social engineering risks.

  1. Cross-team function-sharing

Increased collaboration between risk management and fraud management teams improves prevention, detection, monitoring, and response to a cyberattack.

These cyber defenses must become your operating "next normal" if they are not in place already. Your accomplishments during COVID-19 will carry over in a positive way to your operations after the Pandemic.

Stand-Alone Cyber Insurance

Your healthcare organization stands a better chance of recovery by investing in a robust Stand-Alone Cyber Insurance policy that provides coverage to protect your business against cyber-related financial losses.

Some cyber insurance carriers provide unique cyber coverage for healthcare exposures, including your costs:

  • To comply with an OCR-mandated security assessment and program after a security failure or data breach.
  • To respond to a cyber extortion incident, including money or cryptocurrency (typically Bitcoin).
  • To recover from funds transfer fraud or invoice manipulation by an imposter.
  • To respond to a cyber incident with the help of an incident response team.
  • Cyber-related business interruption causes you or your supplier to shut down, incur lost profits, or incur extra expenses.
  • To restore digital assets, including programs, software, or data (e.g., patient health information (aka PHI)) due to damage, disruption, theft, or misuse of your data.
  • To replace computer systems or other technology damages in a cyberattack.
  • To train employees in proactive in loss prevention, such as phishing emails awareness training.

Your hospital's residual cyber risk includes your employees who may be tricked by a phishing email or text or manipulated via a phone call, that allows hackers into your network, jeopardizing your hospital's operations.


  • Phishing emails and imposter emails succeed when hackers and fraudsters trick employees. We now know that Google Drive can used as bait in these email phishing campaigns. From there, you may suffer a financial loss from a ransomware attack, funds transfer fraud, or invoice manipulation.
  • Employee phishing email training and cyber risk awareness training have immeasurable value. The solution -- some cyber insurance carriers offer support to their policyholders' efforts to increase employees' cyber threat awareness.
  • Your business stands a better chance of not only surviving but thriving after a cyberattack with a dedicated Stand-Alone Cyber Insurance policy suited to your risk tolerance level.

Reach out to Cyber Armada Insurance to assist you with your Stand-Alone Cyber Insurance needs. We understand the evolving cyber risks and the importance of your investment in appropriate cyber insurance.

Contact Cyber Armada today to explore how your company can solve potential financial losses from a cyberattack. Contact us at 888.727.6232.


Please watch for our next article on Asking the right questions in the cyber insurance renewal season?

This article is made available for informational purposes and is not intended to be a substitute for professional or legal advice. No attorney client relationship is formed or implied between you and the authors(s) or Cyber Armada Insurance.

Topics: Ransomware Covid-19 Healthcare Europe Hospitals

Cyber Armada Team
Posted by Cyber Armada Team on Nov 4, 2020

Apply for Cyber Insurance Online

Answer a few questions online and Cyber Armada will design a cyber insurance policy tailored to your particular needs.

Apply Online
Apply for Cyber Insurance
Schedule an appointment with Cyber Armada

Can we talk?

We're ready to talk when you are. You can schedule an appointment to speak with a representative from Cyber Armada when it is most convenient for you. Whenever possible we use online meetings to increase productivity and increase the amount of time we can spend with you. We use Zoom Meetings as our preferred video conferencing platform.

Schedule Appointment