Ransomwarecritical

Universal Health Services: Ryuk Ransomware Across 400 Hospitals

Ryuk ransomware spread across Universal Health Services' 400-hospital US network in one night, forcing nurses and doctors to use paper records, divert ambulances, and cancel surgeries across the country.

Universal Health Services·2020·2 min read

Background

Universal Health Services (UHS) is one of the largest US healthcare providers with 400 hospitals across 36 states. On September 27, 2020, at approximately 2 AM, employees began reporting their computers rebooting and showing ransom notes.

The Attack

Ryuk ransomware, operated by the criminal group Wizard Spider, typically arrived via TrickBot or BazarLoader malware weeks before the ransomware deployment. The malware spread through UHS's network using Active Directory credentials and encrypted every reachable file system. Employees described watching their shared drives disappear in real time. Hospitals switched to paper charting, cancelled elective surgeries, and diverted ambulances to other facilities. Some hospitals lost access to lab results during active patient care.

Response

UHS took all IT systems offline to prevent further spread. Over the following days and weeks, hospitals manually operated and began the IT rebuild. UHS stated it used backups and did not pay a ransom. The full recovery took over a month. CISA, FBI, and HHS issued a joint alert about Ryuk's threat to the healthcare sector.

Outcome

UHS estimated the financial impact at approximately $67 million. The attack coincided with the peak of the COVID-19 pandemic, creating compounded pressure on hospital staff. A patient in Germany died around the same time after being diverted from a ransomware-hit hospital — though causation was disputed — highlighting the life-safety stakes of healthcare ransomware.

Key Takeaways

  1. Hospital clinical and administrative networks should be isolated so ransomware cannot reach patient care systems
  2. Active Directory compromise gives ransomware actors the keys to an entire enterprise — protect it as the most critical system
  3. Backup integrity testing must include full restore drills — backups that take months to restore are not operationally useful
  4. CISA joint advisories about active threats must be acted on within hours, not days
RyukWizard Spiderhealthcare400 hospitalsActive Directory

More in Ransomware

2017critical

WannaCry Global Ransomware Attack

2 min readRansomware
2019critical

Norsk Hydro: Ransomware Shuts Down Aluminium Plants Across 3 Continents

2 min readRansomware
2016high

Hollywood Presbyterian: Hospital Pays $17,000 to Get Patient Records Back

2 min readRansomware