{ "id": "b34ae106-7cb6-4df7-af48-7198705ebfbd", "created_at": "2026-04-06T00:22:30.148358Z", "updated_at": "2026-04-10T03:34:54.434507Z", "deleted_at": null, "sha1_hash": "dc2c89b00c82c6d21a1a745693b916b4a2a7c8ef", "title": "UHS hospitals hit by reported country-wide Ryuk ransomware attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1737408, "plain_text": "UHS hospitals hit by reported country-wide Ryuk ransomware attack\r\nBy Sergiu Gatlan\r\nPublished: 2020-09-28 · Archived: 2026-04-05 17:54:36 UTC\r\nUniversal Health Services (UHS), a Fortune 500 hospital and healthcare services provider, has reportedly shut down systems\r\nat healthcare facilities around the US after a cyber-attack that hit its network during early Sunday morning.\r\nUHS operates over 400 healthcare facilities in the US and the UK, has more than 90,000 employees and provides healthcare\r\nservices to approximately 3.5 million patients each year.\r\nThe Fortune 500 corporation had annual revenues of $11.4 billion in 2019 and it is 330th on Forbes' ranking of US largest\r\npublic companies.\r\nhttps://www.bleepingcomputer.com/news/security/uhs-hospitals-hit-by-reported-country-wide-ryuk-ransomware-attack/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/uhs-hospitals-hit-by-reported-country-wide-ryuk-ransomware-attack/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nAttacked during the night\r\nAccording to reports coming from UHS' employees, UHS hospitals in the US including those from California, Florida,\r\nTexas, Arizona, and Washington D.C. are left without access to computer and phone systems.\r\nAt the moment the affected hospitals are redirecting ambulances and relocating patients in need of surgery to other nearby\r\nhospitals.\r\n\"When the attack happened multiple antivirus programs were disabled by the attack and hard drives just lit up with activity,\"\r\none of the reports reads.\r\n\"After 1min or so of this the computers logged out and shutdown. When you try to power back on the computers they\r\nautomatically just shutdown.\r\n\"We have no access to anything computer based including old labs, ekg's, or radiology studies. We have no access to our\r\nPACS radiology system.\"\r\nEmployees were also told to shut down all systems to block the attackers' from reaching all devices on the network.\r\nIf you have first-hand information about this or other unreported cyberattacks, you can confidentially contact us on Signal at\r\n+16469613731 or on Wire at @lawrenceabrams-bc.\r\nRyuk ransomware behind the attack\r\nWhile UHS has made no official statement regarding the attack, reports coming from employees show all the signs of a\r\nransomware attack, starting with its launch during the night to avoid detection before encrypting as many systems as\r\npossible and the immediate shut down of all systems after it was discovered to prevent more devices getting locked.\r\nAn employee told BleepingComputer that, during the cyberattack, files were being renamed to include the .ryk extension.\r\nThis extension is used by the Ryuk ransomware.\r\nAnother UHS employee told us that one of the impacted computers' screens changed to display a ransom note reading\r\n\"Shadow of the Universe,\" a similar phrase to that appearing at the bottom of Ryuk ransom notes.\r\nBased on information shared with BleepingComputer by Advanced Intel's Vitali Kremez, the attack on UHS' system likely\r\nstarted via a phishing attack.\r\nOur team has observed the following: Phishing -\u003e #KEGTAP -\u003e #BEACON -\u003e #RYUK.\r\n— Andrew Thompson (@anthomsec) September 28, 2020\r\nAccording to Kremez, their Andariel intelligence platform detected both the Emotet and TrickBot Trojans affecting UHS\r\nInc. throughout 2020, and more recently, in September 2020.\r\nThe Emotet trojan is spread via phishing emails containing malicious attachments that install the malware on a victim's\r\ncomputer.\r\nAfter some time, Emotet will also install TrickBot, which ultimately opens a reverse shell to the Ryuk\r\noperators after harvesting sensitive information from compromised networks.\r\nOnce the Ryuk actors manually get access to the network they start with reconnaissance and, after gaining admin credentials,\r\nthey deploy ransomware payloads on network devices using PSExec or PowerShell Empire.\r\nhttps://www.bleepingcomputer.com/news/security/uhs-hospitals-hit-by-reported-country-wide-ryuk-ransomware-attack/\r\nPage 3 of 5\n\nRyuk ransom note\r\nUnfortunately, with ransomware attack, there is also a high chance of the attackers stealing patient and employee data which\r\nwill further increase the damage.\r\nLast week, BleepingComputer reported that a ransomware attack affecting a German hospital led to the death of a patient in\r\na life-threatening condition after she was redirected to a more distant hospital.\r\nFour deaths were also reported after the incident impacting UHS' facilities, caused by the doctors having to wait for lab\r\nresults to arrive via courier. BleepingComputer has not been able to independently corroborate if the deaths were related to\r\nthe attack.\r\nIf UHS decided to pay the Ryuk ransom, they need to be careful of using their decryptor as it is known to corrupt certain\r\ntypes of files.\r\nEmsisoft is offering free ransomware recovery services to healthcare organizations during the pandemic, which include\r\ncustom decryptors that are known to recover files 50% faster than the threat actor's decryptors.\r\n\"There are multiple factors and it depends a bit on the hardware, but there are three major factors: We heavily optimised I/O\r\n(so the reading and writing has been optimised a lot and been adjusted for modern mass storage), we use hardware\r\naccelerated cryptography, and we make creating a backup first unnecessary, because unlike the TA's tool, we operate on\r\ncopies of data.\"\r\n\"The real benefit is in the fact that we focus on data safety first. So our decryptors generally are more stable, are safer to use,\r\nand produce correct results,\" Emsisoft CTO Fabian Wosar told BleepingComputer in a conversation.\r\nBleepingComputer has contacted UHS for more information about the attack but has not heard back.\r\nUpdate September 29, 18:45 EDT: Added information about Emsisoft decryptors.\r\nUpdate September 28, 12:23 EDT: UHS confirmed that it was the victim of a security incident and says that no patient or\r\nemployee data was impacted in the incident:\r\nThe IT Network across Universal Health Services (UHS) facilities is currently offline, due to an IT security issue.\r\nWe implement extensive IT security protocols and are working diligently with our IT security partners to restore IT\r\noperations as quickly as possible. In the meantime, our facilities are using their established back-up processes including\r\noffline documentation methods. Patient care continues to be delivered safely and effectively.\r\nNo patient or employee data appears to have been accessed, copied or otherwise compromised.\r\nhttps://www.bleepingcomputer.com/news/security/uhs-hospitals-hit-by-reported-country-wide-ryuk-ransomware-attack/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/uhs-hospitals-hit-by-reported-country-wide-ryuk-ransomware-attack/\r\nhttps://www.bleepingcomputer.com/news/security/uhs-hospitals-hit-by-reported-country-wide-ryuk-ransomware-attack/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/uhs-hospitals-hit-by-reported-country-wide-ryuk-ransomware-attack/" ], "report_names": [ "uhs-hospitals-hit-by-reported-country-wide-ryuk-ransomware-attack" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434950, "ts_updated_at": 1775792094, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dc2c89b00c82c6d21a1a745693b916b4a2a7c8ef.pdf", "text": "https://archive.orkl.eu/dc2c89b00c82c6d21a1a745693b916b4a2a7c8ef.txt", "img": "https://archive.orkl.eu/dc2c89b00c82c6d21a1a745693b916b4a2a7c8ef.jpg" } }