Cyber Incident Victim: T-System
Date:
Dec 2019
Location:
United States of America
Summary
A U.S.-based provider of emergency care solutions suffered a Ryuk ransomware attack impacting critical systems including public-facing segments such as DMZ, extranet, and helpdesk. The incident forced the company to take systems offline during recovery efforts, disrupting services for numerous healthcare facilities relying on its platforms. Files were encrypted with the .RYK extension, accompanied by a ransom note containing contact instructions and a distinctive phrase indicative of recent Ryuk variants. The organization, which supports a significant portion of the nation's hospitals, faced operational challenges but did not publicly disclose details of the attack or potential data compromise.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late November 2019, T-System, a Dallas-based provider of emergency care facility solutions serving over 1,900 U.S. healthcare facilities and 40% of the nation's hospitals, suffered a Ryuk ransomware attack. Security researcher Germán Fernández identified the incident through open-source intelligence (OSINT) while monitoring Ryuk indicators, observing widespread system outages across T-System's platforms. The ransomware encrypted files with the .RYK extension and dropped an HTML ransom note containing the email address "[email protected]" for payment negotiations, alongside the phrase "balance of shadow universe"—a marker of a Ryuk variant first documented in June 2019. Fernández confirmed the malware had compromised public-facing infrastructure segments including the DMZ, extranet, and helpdesk systems. T-System did not publicly disclose the attack but was actively engaged in recovery efforts, with all company systems remaining offline during the investigation period. The incident disrupted critical services for healthcare providers reliant on T-System's platforms, though specific operational impacts were not quantified in public statements.
The T-System attack occurred amid a surge of Ryuk activity targeting multiple organizations globally during November 2019. Earlier that month, Lincoln School District experienced Ryuk encryption, followed by attacks on Spanish construction materials firm TECNOL on November 1 and Spanish building solutions provider Imperdeco on an unspecified date that month. Fernández's OSINT research additionally revealed a September 2019 Ryuk incident at ASD Audit, a financial auditing software firm, where attackers used the emails "[email protected]" and "[email protected]." On November 27, Spanish security firm Prosegur preemptively shut down systems to contain Ryuk's spread but faced sustained operational disruptions, leaving customers unable to arm alarms or access monitoring services for at least four days. This outage raised concerns about increased burglary risks, with Prosegur confirming one robbery occurred the day after the attack. Recovery timelines varied across victims, with Prosegur still addressing system issues six days post-incident while T-System's restoration progress remained unconfirmed.