Mandiant’s Carmakal identified the criminal
gang as UNC1878, saying “it is deliberately
targeting and disrupting U.S. hospitals, forcing
them to divert patients to other healthcare
providers” and producing prolonged delays in
critical care.
He called the eastern European group “one of
most brazen, heartless, and disruptive threat
actors I’ve observed over my career.”
While no one has proven suspected ties
between the Russian government and gangs
that use the Trickbot platform, Holden said he
has “no doubt that the Russian government is
aware of this operation — of terrorism, really.”
He said dozens of different criminal groups use
Ryuk, paying its architects a cut.
Dmitri Alperovitch, co-founder and former
chief technical officer of the cybersecurity firm
Crowdstrike, said there are “certainly lot of
connections between Russian cyber criminals
and the state,” with Kremlin-employed hackers
sometimes moonlighting as cyber criminals.
Neither Holden nor Carmakal would identify the
affected hospitals. Four healthcare institutions
have been reported hit by ransomware so far
this week, three belonging to the St. Lawrence
County Health System in upstate New York
and the Sky Lakes Medical Center in Klamath
Falls, Oregon.
Sky Lakes acknowledged the ransomware
attack in an online statement, saying it had
no evidence that patient information was
compromised. It said emergency and urgent
care “remain available” The St. Lawrence
system did not immediately return phone calls
seeking comment.