The Woodlands, Texas — As America struggles with sky-high COVID-19 infection and death rates, at least ten U.S. hospitals could soon be on the receiving end of a cyber attack by a Russia-based ransomware group.
The group, which goes by the name UNC1878 or Wizard Spider, has already attacked nine hospitals in three weeks, reports Insurance Journal. So far, hospitals in New Jersey, Georgia, Florida, Massachusetts, Texas and Arkansas have been the victims.
The attacks on hospitals are increasing the workload of healthcare workers who are already struggling with their workloads due to the current spike in coronavirus infections and fatalities. Clinicians at one of the hospitals that was on the receiving end of a ransomware attack are struggling to track patient medications and other information on paper, reports Insurance Journal.
According to cyber-security firm Prevailion Inc., UNC1878 is now laying the groundwork for more attacks. The firm has been investigating the group since late October:
While our investigation is still underway, we have so far identified hundreds of organizations worldwide that show compromise activity by this threat actor, and which may be in the early- to mid-stages of a Ryuk ransomware attack. As of November 3rd, there are approximately 1,400 organizations that show beacon activity to the UNC1878 C2 domains, with a total of 340 organizations that are showing a substantial amount of this beaconing, indicating a proliferating infection and likely stage advancement. This threat actor poses a considerable risk to any organization that is impacted, but it is especially worrisome for the healthcare industry.
Prevailion’s warning comes a week after U.S. federal authorities warned healthcare facilities of an “Increased and Imminent” ransomware threat.
The joint warning from the U.S. Cybersecurity and Infrastructure Agency, FBI and Department of Health and Human Services said malicious cyber actors are targeting the healthcare sector with Trickbot malware, leading to ransomware attacks, data theft and the disruption of critical healthcare services.
However, according to Prevaillion, these cybercriminals are now switching from Trickbot to the malware KEGTAP/BEERBOT and SINGLEMALT/STILLBOT (also known as: BazarLoader and BazarBackdoor).
Additionally, Russian hackers are stepping up their attacks against the overall U.S. server infrastructure during today’s elections, according to NordVPN. Researchers commissioned by the firm have observed a 98% increase overnight in brute-force attacks against U.S. servers, reports TechRadar.