{ "id": "5ad5ddae-1fba-4550-8c80-37db3f345c49", "created_at": "2026-04-06T00:19:12.717312Z", "updated_at": "2026-04-10T13:12:09.310109Z", "deleted_at": null, "sha1_hash": "4534461901572085f9c885236c7b61cf06bdf410", "title": "Hacking group is targeting US hospitals with Ryuk ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1085997, "plain_text": "Hacking group is targeting US hospitals with Ryuk ransomware\r\nBy Lawrence Abrams\r\nPublished: 2020-10-29 · Archived: 2026-04-05 13:43:19 UTC\r\nIn a joint statement, the U.S. government is warning the healthcare industry that a hacking group is actively targeting\r\nhospitals and healthcare providers in Ryuk ransomware attacks.\r\nToday, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the\r\nDepartment of Health and Human Services (HHS) announced a call with the healthcare industry to warn them of an\r\n'Increased and Imminent Cybercrime Threat.'\r\nEmail to healthcare providers\r\nOn this call, the U.S. government warned healthcare providers that Ryuk ransomware is actively targeting the healthcare\r\nindustry and that proper steps should be taken to secure their systems.\r\nhttps://www.bleepingcomputer.com/news/security/hacking-group-is-targeting-us-hospitals-with-ryuk-ransomware/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/hacking-group-is-targeting-us-hospitals-with-ryuk-ransomware/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nThese steps include preparing network lockdown protocols, review incident response plans, install patches on Windows\r\nservers and edge gateway devices, limit personal email, and create strategies on where to redirect patients in the event of an\r\nattack.\r\nOne source told BleepingComputer that it was recommended that all devices should be turned off when not in use in case of\r\nan attack.\r\nSince the call, CISA, FBI, and HHS have released a joint advisory containing information about the Ryuk ransomware\r\nthreat, including indicators of compromise (IOC).\r\n\"CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and\r\nhealthcare providers. CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure\r\nthat they take timely and reasonable precautions to protect their networks from these threats,\" the advisory states.\r\nIn the past two days, Sky Lakes Medical Center in Oregon and St. Lawrence Health System in New York were both hit in\r\nRyuk ransomware attacks that impact the treatment of patients. Last month, hospital operator Universal Health Services was\r\nhit by a corporate-wide Ryuk attack, which impacted over 200 medical facilities nationwide.\r\nUNC1878 hacking group behind threat\r\nCharles Carmakal, senior vice president and CTO of Mandiant, told BleepingComputer that a hacking group known as\r\nUNC1878 is behind the Ryuk attacks on the healthcare industry.\r\n\"We are experiencing the most significant cyber security threat we’ve ever seen in the United States. UNC1878, an Eastern\r\nEuropean financially motivated threat actor, is deliberately targeting and disrupting U.S. hospitals, forcing them to divert\r\npatients to other healthcare providers. Patients may experience prolonged wait time to receive critical care,\" Carmakal said\r\nin a statement to BleepingComputer.\r\nIn a conversation with Carmakal, BleepingComputer was told that this group is highly efficient, with ransomware being\r\ndeployed in some cases within 45 minutes of a network being compromised.\r\nVictims are then left with 7-8 figure ransom demands to get a decryptor for their encrypted files.\r\nAt the beginning of the Coronavirus pandemic, BleepingComputer reached out to different ransomware operations to see if\r\nthey would continue to attack healthcare and medical organizations.\r\nWhile most ransomware gangs said they would decrypt hospitals for free, Ryuk ransomware did not respond to our queries.\r\nFrom BazarLoader to Ryuk\r\nLately, Ryuk attacks usually start with a phishing campaign that installs the BazarLoader/KegTap infection on a recipient's\r\ncomputer.\r\nThe phishing emails are targeted at a particular organization and can include lures ranging from invoices to customer\r\ncomplaints, as shown below.\r\nhttps://www.bleepingcomputer.com/news/security/hacking-group-is-targeting-us-hospitals-with-ryuk-ransomware/\r\nPage 3 of 5\n\nBazarLoader phishing email directed at BleepingComputer\r\nThese emails include links to Google Docs that pretend to be PDFs that cannot be previewed correctly. These docs prompt\r\nthe user to click on a link to download the document.\r\nPhishing email landing page\r\nThe downloaded file is an executable that will install the BazarLoader infection onto a victim's computer when executed.\r\nWhen installed, BazarLoader will eventually deploy Cobalt Strike, which allows threat actors to remotely access the victim's\r\ncomputer and use it to compromise the rest of the network.\r\nTo quickly gain Windows domain admin credentials, Carmakal told BleepingComputer that the group had been seen using\r\nthe Windows ZeroLogon vulnerability. For this reason, users must install necessary patches on all Windows servers.\r\nAfter gaining access to a Windows domain controller, the attackers deploy the Ryuk ransomware on the network to encrypt\r\nall of its devices, as illustrated in the diagram above.\r\nhttps://www.bleepingcomputer.com/news/security/hacking-group-is-targeting-us-hospitals-with-ryuk-ransomware/\r\nPage 4 of 5\n\nAdvanced Intel's Vitali Kremez told BleepingComputer that their Andariel threat prevention platform has been tracking an\r\nincreased amount of attacks against healthcare using BazarLoader.\r\n\"The crime group behind continues to target various industries including healthcare. Currently, the healthcare and social\r\nservices targeting comprises 13.36% of the total victim by industries,\" Kremez told BleepingComputer.\r\nFireEye has also released a report today with TTPs that can be used to learn more about UNC1878 attack methods. \r\nCarmakal told BleepingComputer that these attack methods are constantly changing, so the listed IOCs and TTPs would\r\nlikely change in new attacks.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/hacking-group-is-targeting-us-hospitals-with-ryuk-ransomware/\r\nhttps://www.bleepingcomputer.com/news/security/hacking-group-is-targeting-us-hospitals-with-ryuk-ransomware/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/hacking-group-is-targeting-us-hospitals-with-ryuk-ransomware/" ], "report_names": [ "hacking-group-is-targeting-us-hospitals-with-ryuk-ransomware" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "12211366-1f14-4eed-9d91-46b6a2ede618", "created_at": "2025-08-07T02:03:25.014713Z", "updated_at": "2026-04-10T02:00:03.624097Z", "deleted_at": null, "main_name": "GOLD ULRICK", "aliases": [ "Grim Spider ", "UNC1878 " ], "source_name": "Secureworks:GOLD ULRICK", "tools": [ "Bloodhound", "Buer Loader", "Cobalt Strike", "Conti", "Diavol", "PowerShell Empire", "Ryuk", "SystemBC", "Team9 (aka BazarLoader)", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "ab9d6b30-7c60-4d0b-8f49-e2e913c28508", "created_at": "2022-10-25T16:07:24.584775Z", "updated_at": "2026-04-10T02:00:05.042135Z", "deleted_at": null, "main_name": "UNC1878", "aliases": [], "source_name": "ETDA:UNC1878", "tools": [ "Agentemis", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "KEGTAP", "Ryuk", "Team9Backdoor", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "0a4f4edc-ea8c-4a30-8ded-35394e29de01", "created_at": "2023-01-06T13:46:39.178183Z", "updated_at": "2026-04-10T02:00:03.23716Z", "deleted_at": null, "main_name": "UNC1878", "aliases": [], "source_name": "MISPGALAXY:UNC1878", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434752, "ts_updated_at": 1775826729, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4534461901572085f9c885236c7b61cf06bdf410.pdf", "text": "https://archive.orkl.eu/4534461901572085f9c885236c7b61cf06bdf410.txt", "img": "https://archive.orkl.eu/4534461901572085f9c885236c7b61cf06bdf410.jpg" } }