The international healthcare provider Universal Health Services (UHS) was recently forced to shut down its systems at its US healthcare operations following a network attack.

One of the Fortune 500 hospitals, the UHS currently runs more than 400 dedicated healthcare sites both in the UK and the US. With more than 90,000 people on its payroll, it works to provide healthcare services that serve around 3.5 million individuals in need of care each year. With annual revenues reaching $11.4bn (£8.8bn) last year, it was ranked as the 330th largest public company in the US by Forbes.

Mass disruption caused by ransomware

Following the attack, reports issued by UHS staff indicated that US-based UHS hospitals across multiple states including Florida, California, Arizona, Texas, and Washington D.C. were left without the ability to access either phone systems or computers. The impacted hospitals were forced to relocate patients that required surgical treatment and redirect ambulances where possible to other hospitals in the nearby vicinity. One employee report read:

“When the attack happened, multiple antivirus programs were disabled by the attack and hard drives just lit up with activity. After one min or so of this, the computers logged out and shutdown. When you try to power back on the computers, they automatically just shutdown.”

UHS staff were also instructed to take measures to block attackers reaching further devices connected to its network, which meant shutting down systems.

Ryuk ransomware responsible

An official statement, made by UHS on September 28, confirmed that it had been the victim of what it described as a “security incident.” The notification explained:

“We implement extensive IT security protocols and are working diligently with our IT security partners to restore IT operations as quickly as possible. In the meantime, our facilities are using their established back-up processes including offline documentation methods. Patient care continues to be delivered safely and effectively.”

It added that during the attack, no employee or patient data appeared to have been copied, accessed or compromised in any way.

The incident clearly points to a ransomware attack, with strong indicators being a night assault to avoid being detected, and systems becoming encrypted and locking out employees.

A staff member later reported that during the attack on the healthcare service provider, data files were being remotely renamed, adding an extension synonymous with Ryuk ransomware.

Another staff member commented that an impacted device’s display monitor showed a ransom note using the phrase “Shadow of the Universe”, a term employed in Ryuk ransomware missives left behind for targets.

The ransomware appears to have been deployed using a phishing tactic, with cybersecurity experts stating that Trojans such as TrickBot and Emotet had been detected on UHS systems this year. Emotet typically spreads throughout systems when employees activate malicious attachments and inadvertently install malware on company devices. It then installs TrickBot, which opens a company’s network up to ransomware operators using harvested credentials. With access granted, the Ryuk operators can launch their ransomware into the systems, encrypting and controlling a corporation’s data.