Universal Health Services IT Systems Across the United States Shutdown Due to Ransomware Attack

Universal Health Services (UHS) based in King of Prussia, PA has encountered a major security breach that led to the unavailability of its IT systems. The health system has over 400 healthcare facilities all over the US and the UK.

The Fortune 500 healthcare service provider has above 90,000 personnel and serves approximately 3.5 million patients annually. Based on a statement released on its webpage, the firm suffered an IT security incident on September 27, 2020 in the morning hours. After the discovery of the security breach, UHS blocked user access to its information technology apps relating to operations established in the US.

UHS has enforced information security and emergency procedures and is working tightly with its security partners to minimize the attack and reestablish its IT functions as soon as possible. The cyberattack shut down its IT systems so that affected hospitals can’t access their phone and computer systems. The attack did not impact UK establishments.

The attack made UHS to redirect ambulances to other healthcare organizations and patients requiring surgery were transferred to other local hospitals. The announcement on the UHS site states that though this incident may bring about temporary interruptions to a number of facets of clinical and financial processes, the acute care and behavioral health facilities are employing their planned back-up procedures such as offline documentation tactics. Patient care continues to be delivered carefully and appropriately.

UHS President Marc Miller released an announcement on Monday telling that UHS took its networks offline on Sunday to restrict a malware attack. Approximately 250 healthcare facilities in the U.S. use the systems including medical record systems and those employed by laboratories and pharmacies all over the country.

Marc Miller didn’t present any specifics regarding the nature of the malware, nevertheless, a few persons who state they are employed by UHS have given info concerning the attack that clearly implies it was ransomware. BleepingComputer was contacted by a UHS staff and said that prior to the systems shut down, there was a renaming of files using the .ryk extension, which was associated with the Ryuk ransomware.

A few other staff have claimed reading a ransom note on their computers having the text “Shadow of the Universe,” which is linked with Ryuk ransom notes.

Ryuk ransomware is usually utilized as a secondary payload by the TrickBot Trojan. The TrickBot is brought in by the Emotet Trojan. Emotet attacks normally are preceded by a phishing email. Vitali Kremez of Advanced Intel stated that their Andariel platform noticed various Emotet and TrickBot infections at UHS during 2020, with the most current identified in September.

The Ryuk ransomware operators are regarded to exfiltrate info before deploying the ransomware; nevertheless, UHS claims on its webpage that there seems to be no patient or employee data accessed, duplicated, or compromised in the attack.