{ "id": "9ac77dfb-7356-4e2b-8400-51c92f172cd4", "created_at": "2026-04-06T01:31:40.14806Z", "updated_at": "2026-04-10T03:33:27.336048Z", "deleted_at": null, "sha1_hash": "0b80b7b24c12aacfb049ed201c3c3db9aa48b6cb", "title": "FBI, DHS, HHS Warn of Imminent, Credible Ransomware Threat Against U.S. Hospitals", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 183660, "plain_text": "FBI, DHS, HHS Warn of Imminent, Credible Ransomware Threat\r\nAgainst U.S. Hospitals\r\nPublished: 2020-11-01 · Archived: 2026-04-06 00:41:33 UTC\r\nOn Monday, Oct. 26, KrebsOnSecurity began following up on a tip from a reliable source that an aggressive\r\nRussian cybercriminal gang known for deploying ransomware was preparing to disrupt information technology\r\nsystems at hundreds of hospitals, clinics and medical care facilities across the United States. Today, officials from\r\nthe FBI and the U.S. Department of Homeland Security hastily assembled a conference call with healthcare\r\nindustry executives warning about an “imminent cybercrime threat to U.S. hospitals and healthcare providers.”\r\nhttps://krebsonsecurity.com/2020/10/fbi-dhs-hhs-warn-of-imminent-credible-ransomware-threat-against-u-s-hospitals/\r\nPage 1 of 3\n\nThe agencies on the conference call, which included the U.S. Department of Health and Human Services\r\n(HHS), warned participants about “credible information of an increased and imminent cybercrime threat to US\r\nhospitals and healthcare providers.”\r\nThe agencies said they were sharing the information “to provide warning to healthcare providers to ensure that\r\nthey take timely and reasonable precautions to protect their networks from these threats.”\r\nThe warning came less than two days after this author received a tip from Alex Holden, founder of Milwaukee-based cyber intelligence firm Hold Security. Holden said he saw online communications this week between\r\ncybercriminals affiliated with a Russian-speaking ransomware group known as Ryuk in which group members\r\ndiscussed plans to deploy ransomware at more than 400 healthcare facilities in the U.S.\r\nOne participant on the government conference call today said the agencies offered few concrete details of how\r\nhealthcare organizations might better protect themselves against this threat actor or purported malware campaign.\r\n“They didn’t share any IoCs [indicators of compromise], so it’s just been ‘patch your systems and report anything\r\nsuspicious’,” said a healthcare industry veteran who sat in on the discussion.\r\nHowever, others on the call said IoCs may be of little help for hospitals that have already been infiltrated by Ryuk.\r\nThat’s because the malware infrastructure used by the Ryuk gang is often unique to each victim, including\r\neverything from the Microsoft Windows executable files that get dropped on the infected hosts to the so-called\r\n“command and control” servers used to transmit data between and among compromised systems.\r\nNevertheless, cybersecurity incident response firm Mandiant today released a list of domains and Internet\r\naddresses used by Ryuk in previous attacks throughout 2020 and up to the present day. Mandiant refers to the\r\ngroup by the threat actor classification “UNC1878,” and aired a webcast today detailing some of Ryuk’s latest\r\nexploitation tactics.\r\nCharles Carmakal, senior vice president for Mandiant, told Reuters that UNC1878 is one of most brazen,\r\nheartless, and disruptive threat actors he’s observed over the course of his career.\r\n“Multiple hospitals have already been significantly impacted by Ryuk ransomware and their networks have been\r\ntaken offline,” Carmakal said.\r\nOne health industry veteran who participated in the call today and who spoke with KrebsOnSecurity on condition\r\nof anonymity said if there truly are hundreds of medical facilities at imminent risk here, that would seem to go\r\nbeyond the scope of any one hospital group and may implicate some kind of electronic health record provider that\r\nintegrates with many care facilities.\r\nSo far, however, nothing like hundreds of facilities have publicly reported ransomware incidents. But there have\r\nbeen a handful of hospitals dealing with ransomware attacks in the past few days.\r\n–Becker’s Hospital Review reported today that a ransomware attack hit Klamath Falls, Ore.-based Sky Lakes\r\nMedical Center’s computer systems.\r\n–WWNY’s Channel 7 News in New York reported yesterday that a Ryuk ransomware attack on St. Lawrence\r\nHealth System led to computer infections at Caton-Potsdam, Messena and Gouverneur hospitals.\r\nhttps://krebsonsecurity.com/2020/10/fbi-dhs-hhs-warn-of-imminent-credible-ransomware-threat-against-u-s-hospitals/\r\nPage 2 of 3\n\n–SWNewsMedia.com on Monday reported on “unidentified network activity” that caused disruption to certain\r\noperations at Ridgeview Medical Center in Waconia, Minn. SWNews says Ridgeview’s system includes Chaska’s\r\nTwo Twelve Medical Center, three hospitals, clinics and other emergency and long-term care sites around the\r\nmetro area.\r\n–NBC5 reports The University of Vermont Health Network is dealing with a “significant and ongoing system-wide\r\nnetwork issue” that could be a malicious cyber attack.\r\n-A story at BleepingComputer.com says Wyckoff Hospital in New York suffered a Ryuk ransomware attack on\r\nOct. 28.\r\nThis is a developing story. Stay tuned for further updates.\r\nUpdate, 10:11 p.m. ET: The FBI, DHS and HHS just jointly issued an alert about this, available here.\r\nUpdate, Oct. 30, 11:14 a.m. ET: Added mention of Wyckoff hospital Ryuk compromise.\r\nSource: https://krebsonsecurity.com/2020/10/fbi-dhs-hhs-warn-of-imminent-credible-ransomware-threat-against-u-s-hospitals/\r\nhttps://krebsonsecurity.com/2020/10/fbi-dhs-hhs-warn-of-imminent-credible-ransomware-threat-against-u-s-hospitals/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://krebsonsecurity.com/2020/10/fbi-dhs-hhs-warn-of-imminent-credible-ransomware-threat-against-u-s-hospitals/" ], "report_names": [ "fbi-dhs-hhs-warn-of-imminent-credible-ransomware-threat-against-u-s-hospitals" ], "threat_actors": [ { "id": "12211366-1f14-4eed-9d91-46b6a2ede618", "created_at": "2025-08-07T02:03:25.014713Z", "updated_at": "2026-04-10T02:00:03.624097Z", "deleted_at": null, "main_name": "GOLD ULRICK", "aliases": [ "Grim Spider ", "UNC1878 " ], "source_name": "Secureworks:GOLD ULRICK", "tools": [ "Bloodhound", "Buer Loader", "Cobalt Strike", "Conti", "Diavol", "PowerShell Empire", "Ryuk", "SystemBC", "Team9 (aka BazarLoader)", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "ab9d6b30-7c60-4d0b-8f49-e2e913c28508", "created_at": "2022-10-25T16:07:24.584775Z", "updated_at": "2026-04-10T02:00:05.042135Z", "deleted_at": null, "main_name": "UNC1878", "aliases": [], "source_name": "ETDA:UNC1878", "tools": [ "Agentemis", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "KEGTAP", "Ryuk", "Team9Backdoor", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "0a4f4edc-ea8c-4a30-8ded-35394e29de01", "created_at": "2023-01-06T13:46:39.178183Z", "updated_at": "2026-04-10T02:00:03.23716Z", "deleted_at": null, "main_name": "UNC1878", "aliases": [], "source_name": "MISPGALAXY:UNC1878", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439100, "ts_updated_at": 1775792007, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0b80b7b24c12aacfb049ed201c3c3db9aa48b6cb.pdf", "text": "https://archive.orkl.eu/0b80b7b24c12aacfb049ed201c3c3db9aa48b6cb.txt", "img": "https://archive.orkl.eu/0b80b7b24c12aacfb049ed201c3c3db9aa48b6cb.jpg" } }