European ransomware group strikes US hospital networks, analysts warn

“UNC1878 is one of most brazen, heartless and disruptive threat actors I’ve observed over my career,” Mandiant's Charles Carmakal said.
(Getty Images)

An Eastern European cybercriminal group has conducted ransomware attacks at multiple U.S. hospitals in recent days in some of the most disruptive cyber-activity in the sector during the coronavirus pandemic, cybersecurity company FireEye said Wednesday.

The group, which FireEye calls UNC1878, has been deploying Ryuk ransomware and taking multiple hospital IT networks offline, said Charles Carmakal, senior vice president of Mandiant, FireEye’s incident response arm.

“UNC1878 is one of most brazen, heartless and disruptive threat actors I’ve observed over my career,” Carmakal said. The group’s activity “is deliberately targeting and disrupting U.S. hospitals, forcing them to divert patients to other healthcare providers,” he said.

The company did not detail any specific attacks, or the timing of the activity it says it observed.


The announcement coincides with multiple reported ransomware incidents, including an attack earlier this week on Oregon’s Sky Lakes Medical Center. The medical center carried on with emergency and urgent care, but said that “communications with the medical center will be a little complicated, however, until systems are restored.”

Ransomware also infected the IT networks of hospitals in New York state, forcing the Canton-Potsdam, Massena and Gouverneur hospitals to revert to back-up processes. A new variant of Ryuk was reportedly involved.

The FBI and departments of Homeland Security and Health and Human Services convened a phone call on Wednesday to brief the private sector on the attacks. An invitation to the call said it would cover “credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers.”

The ransomware incidents this week follow a reported Ryuk ransomware attack on Universal Health Services, which describes itself as one of the largest health care providers in the U.S.

Cybercriminals have continued to lock down IT systems at hospitals and demand payoffs, despite the deadly coronavirus pandemic. U.S. federal agencies and private companies have called in reinforcements to try to blunt the impact of the attacks.


Cybersecurity professionals around the world have been so concerned by the hacking of health care organizations that they have volunteered their time to protect them. For its part, the U.S. Cybersecurity and Infrastructure Security Agency in July hired Josh Corman, a health care cybersecurity specialist, to bolster the agency’s work to defend the sector from attacks.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts