A Ransomware Attack Has Struck a Major US Hospital Chain

“All computers are completely shut down,” one Universal Health Services employee told WIRED.
nurses looking at digital tablet
Universal Health Services has 400 facilities across the US, Puerto Rico, and the UK. Its IT network has been down since Sunday.Photograph: Getty Images

Universal Health Services, a hospital and health care network with more than 400 facilities across the United States, Puerto Rico, and United Kingdom, suffered a ransomware attack early Sunday morning that has taken down its digital networks at locations around the US. As the situation has spiraled, some patients have reportedly been rerouted to other emergency rooms and facilities and had appointments and test results delayed as a result of the attack.

An emergency room technician at one UHS-owned facility tells WIRED that their hospital has moved to all-paper systems as a result of the attack. Bleeping Computer, which first reported the news, spoke to UHS employees who said the ransomware has the hallmarks of Ryuk, which first appeared in 2018 and is widely linked to Russian cybercriminals. Ryuk is typically used in so-called "big-game hunting" attacks in which hackers attempt to extort large ransoms from corporate victims. UHS says it has 90,000 employees and treats about 3.5 million patients each year, making it one of the US' largest hospital and health care networks.

"We are using paper for everything. All computers are completely shut down," the UHS employee told WIRED. "Paper is workable, there is just a lot more documentation to be done so things don’t get lost—orders, meds, etc. Patient care is about the same still in the ER, since we are where the patient enters the hospital and the visit gets started. There is concern for patients who were already on the floors when this happened, but everyone is stepping up their game big time."

"Our facilities are using their established back-up processes, including offline documentation methods," UHS said in a statement. The company did not return a request for further comment from WIRED and would not confirm that it is a ransomware attack. The company's statement did confirm that the "IT network across Universal Health Services facilities is currently offline, due to an IT security issue," and that patient and employee data appear not to have been compromised in the attack.

Ransomware attacks on large organizations have been prevalent since the mid-2010s, but the pace of assaults seems to have increased in recent months. Hospitals, in particular, have long been a favorite target, because patient safety hangs in the balance when a hospital's network goes down. In addition to UHS, the Ashtabula County Medical Center in Ohio and Nebraska Medicine have both suffered ransomware attacks in recent days that caused system outages and threatened patient services.

And earlier this month, a patient with a life-threatening condition died in Düsseldorf, Germany, after a ransomware attack at a nearby hospital forced her to be taken to a more distant facility. The episode may have been the first example of a patient who died because of the fallout from a ransomware attack.

"These incidents are hugely concerning; they could have fatal consequences," says Brett Callow, a threat analyst at the antivirus company Emsisoft. "I would say things are as bad as they’ve ever been—worse, in fact."

Ryuk ransomware was attributed to North Korean actors when it first emerged, but many researchers now link it instead to Russian cybercriminals. It's often preceded by a phishing attack that infects a target with a trojan, then exfiltrates the victim's data and triggers a Ryuk infection. The ransomware seems to be used by a few splinter groups in addition to its originators, though, making it difficult to trace and correlate activity from the presence of the malware alone. The actor that first used it throughout 2018 and 2019 seemed to go dark in April, but has recently reappeared.

"There are indications that the original actors are back and carrying out attacks after their absence," Emsisoft's Callow says. "The number of attacks is spiking, and as always they have a liking for health care along with other organizations."

Ryuk is one of several large ransomware families which have hit not just health care, but other large companies like Garmin and Lenovo, the shipping and logistics firm Pitney Bowes, Tribune Publishing, and numerous municipal governments around the country. Some ransomware gangs vowed not to hit hospitals during the pandemic, but actors tied to Ryuk made no such promise.

Some researchers are calling for a ban on paying ransoms, arguing that drastically reducing that incentive is the only measure that will stop ransomware's rise now. The recommendation has been controversial, though, given how high the stakes can be for returning to normal operations during an attack—especially when the target is critical infrastructure or a health-care-related organization.

"This is extremely important. It's truly vile that people are willing to go after hospitals," the UHS ER technician told WIRED. "It is a life-or-death situation."


More Great WIRED Stories