The Universal Health Services (UHS) has reported a ransomware attack, which affected all its IT systems and closure of few hospitals for a while. The threat actor behind this was reported to be Ryuk gang since few reported the change of files’ extensions to .ryk. UHS said there’s no employee or patient data affected by the incident, and trying to bring systems back online.

UHS Hit by Ryuk Ransomware!

Universal Health Services (UHS) is a Fortune 500 public company, offering healthcare services via its 400 facilities in the UK and US. It’s having more than 90,000 employees serving about 3.5 million patients each year. The hospital was reportedly hit by a ransomware attack on Sunday morning.

As reported by BleepingComputer, several sources reported that UHS employees in facilities of Washington D.C, California, Florida, Arizona and Texas were barred from accessing the phone and computer systems. Thus, it started redirecting the patients and ambulances to other nearby hospitals.

Employees reported that “We have no access to anything computer-based including old labs, ekg’s, or radiology studies. We have no access to our PACS radiology system.” A similar incident earlier happened against a German hospital led to the death of the patient.

Ryuk Gang as the Culprit

Though UHS came up with an official statement confirming a cyberattack, it didn’t specially mention the culprit behind it. But, few employees spoke to BleepingComputer revealed that they have seen the files were being modified to add .ryk as the extensions during the attack.

Also, they reported having seen a phrase, “Shadow of the Universe” in a ransom-like note. This phrase is often being set by Ryuk ransomware group at the end of their ransom notes. Thus, these hints reveal that Ryuk gang to be behind this attack. As per a tip by Vitali Kremez from Advanced Intel to BleepingComputer, the Ryuk gang has possibly started this with a phishing attack.

He said that their Andariel intelligence has detected both the Emotet and TrickBot Trojans targeting UHS throughout 2020. Thus, a phishing email carrying the Emotet trojan is likely the spearhead of this attack, which would have later installed the TrickBot backdoor to invite Ryuk operators ultimately.

Ryuk gang then have spread across the network and gained admin credentials to deploy their payloads on breached systems using PSExec or PowerShell commands. There were four deaths reported after UHS being hit by this attack but was yet to be verified the link between these two incidents.


Please enter your comment!
Please enter your name here