Cyber Incident Victim: Universal Health Services
Date:
Sep 2020
Location:
United States of America
Summary
A ransomware attack targeting Universal Health Services disrupted operations across its healthcare facilities, forcing system shutdowns to contain the infection. The Ryuk ransomware, deployed after initial compromise via phishing emails delivering Emotet and TrickBot malware, encrypted files with the .ryk extension and displayed ransom notes. Facilities resorted to manual processes, redirecting ambulances and relocating surgical patients due to inaccessibility of critical systems like electronic health records and radiology platforms. Reports indicated four patient deaths potentially linked to delays in lab result delivery via couriers, though causation remains unconfirmed. While the organization stated no patient or employee data was accessed or compromised, the incident highlighted risks of operational paralysis and patient safety impacts during healthcare ransomware attacks. Recovery efforts involved third-party decryptor assistance due to known stability issues with Ryuk's decryption tool.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On September 27, 2020, Universal Health Services (UHS) experienced a widespread cyberattack impacting its IT network across U.S. healthcare facilities. The incident began in the early hours of Sunday morning, with systems at hospitals in California, Florida, Texas, Arizona, and Washington D.C. becoming inaccessible. Employees reported antivirus programs being forcibly disabled, followed by abnormal hard drive activity and automatic system shutdowns upon attempted reboots. Critical clinical systems including electronic health records, radiology (PACS), laboratory results, and EKG data became unavailable. Facilities implemented emergency protocols: diverting ambulances, relocating surgical patients to unaffected hospitals, and transitioning to paper-based documentation. Forensic indicators pointed to Ryuk ransomware, with files renamed to include the .ryk extension and ransom notes referencing "Shadow of the Universe," consistent with Ryuk's known behavior. Initial infection vectors were traced to earlier Emotet and TrickBot malware infections detected throughout 2020, with recent activity in September 2020. These trojans typically spread via phishing emails and established backdoors for ransomware deployment.
UHS containment measures included forcibly powering down all network-connected devices to limit ransomware propagation. The organization activated backup procedures using offline documentation methods while working with cybersecurity partners to restore systems. On September 28, UHS publicly confirmed the security incident but stated no evidence suggested unauthorized access or exfiltration of patient/employee data. Operational disruptions created secondary clinical impacts, with four unconfirmed fatalities reported due to delays in obtaining lab results transported manually between facilities. Ryuk's known attack pattern suggested attackers conducted network reconnaissance using tools like PowerShell Empire and PSExec after obtaining administrative credentials prior to ransomware deployment. Emsisoft publicly offered free decryption services to healthcare providers during the pandemic, though UHS's use of these services remained unconfirmed. Restoration efforts continued with facilities maintaining emergency care capabilities through manual processes during system recovery.