Cybergang Behind U.S. Hospital Ransomware Is Readying ‘Another Wave of Attacks,’ FireEye Says

The number of hospitals hit this week is now in the double digits, and it appears more illegal cyber strikes are on the way, following a government warning on Tuesday that attacks were ‘imminent.’

The number of U.S. hospitals now caught in the grip of a sprawling ransomware attack has spiked to double digits, and some of them are beginning to pay the ransom in order to restore services, Charles Carmakal, SVP and CTO, FireEye Mandiant, told CRN.

“I see them staging infrastructure right now,” he said of the eastern European gang behind the raids. “I see them getting ready to launch another wave of attacks. I just don’t know who they’re going to target … They‘re going to keep doing what they’re doing, but they just may stop hitting healthcare organizations. It’s really going to take some significant change before they completely stop their operations. People are going to need to get arrested.”

[RELATED: Government Warns Of ‘Imminent Cybercrime Threat To U.S. Hospitals’]

The Milpitas, Calif.-based cybersecurity company was among the first this week to warn about the risk to hospitals posed by an eastern European gang dubbed UNC1878. FireEye has been tracking the group for years, and shared hundreds of indicators of compromise in a blog post to help IT departments identify if their systems are under attack.

The FBI, U.S. Department of Health and Human Services and the Cybersecurity and Infrastructure Security Agency also collaborated on a a 15-page joint warning to hospitals that included the indicators of compromise that those organizations are aware of.

“I’m hopeful that we don’t see more hospitals being hit, because there was a lot of attention put on this by the U.S. government, by Mandiant and others on Tuesday,” Carmakal told CRN. “Do we believe this threat actor is going to stop all together? Absolutely not … It‘s really going to take some significant change before they completely stop their operations. People are going to need to get arrested.”

Carmakal said in this case, some hospitals are choosing to pay. He said ransoms in situations like these usually begin at $1 million and depending on the size the hospital, could reach as high as $10 million.

“Sometimes they feel compelled to pay because they need to get their systems back online, and they need to get back to treating patients and caring for them,” he said. “They feel that there‘s no better option, but some of them just have a mindset that they won’t pay, regardless of how severe the situation is.”

When hospitals are faced with the choice of having to balance their patients’ lives against the instructions from the government not to pay ransomware actors, Carmakal said there is no easy answer to give them.

“Anybody that says, the answer is by default ‘No’ without thinking about it, hasn‘t ever lived through the situation,” Carmakal said. “I’ll tell you a lot of people tell me before they deal with a ransomware incident that their default position is ‘no.’ I can tell you, I’ve talked to the same people, and they’ve had a very different reaction after dealing with the ransomware incident.”

Since the warning was published, Carmakal said the cybersecurity community has rallied together to help hospitals fight back, with collaboration and information sharing

“There‘s definitely a number of companies that have access to good data that are willing to do things that maybe they hadn’t wanted to do before,” he said. “So there’s definitely a number of security companies and just intelligence organizations that are doing their part to help the community.”

Huntress Labs, the maker of threat detection software that searches for footholds which threat actors use to hide inside networks, has received multiple requests to help hospitals scan their systems for ransomware, said John Hammond, a senior security researcher with the company.

“We are seeing those requests, and it does seem dire,” he said.

Huntress also has experience with UNC1878, and can detect the Trick Bot malware and Ryuk ransomware that is part of the gang’s attack payload.

“I feel like this really cuts close to the bone, because there‘s a lot of sensitivity around our healthcare industry right now,” said John Hammond, senior cybersecurity researcher at Huntress. “If you’re targeting a hospital, those are real people’s lives at stake. If you’re redirecting someone to go get treated at a different hospital, that could be putting someone in maybe a potential life or death situation, and especially this large of a scale. I don’t think something that we can brush off.”