Cyber-malware Strikes UVM, Doctors ‘Expect Panic’

Out of the many cyber-attacks in 2020, the malware known as Ryuk has affected countless medical centers and infamously spread through 6 major hospitals from California to New York in the span of 24 hours during the Covid-19 pandemic. Named after the antagonist in the anime Death Note, Ryuk originated in a Russian based hacking group called Wizard spider in March 2018.

Though the malware mainly targets hospitals and medical centers, Ryuk is also known to hack major corporations and caused the entire city of New Orleans to shut down all of their government computers in a state of emergency. Ryuk only aims at corporations that can afford extreme amounts of ransom in return for their files. Hackers install the malware onto your computer through phishing emails (1) containing a link with a specific code allowing them to access all files and data on your computer. However, Ryuk is only installed after the hackers gained access to your computer system suggesting that the ransomware is an additional upload to the software.

Unlike other malware, Ryuk disables the computer data with military-grade encryptions (AES and RSA) so the likelihood of recovering the files without paying the ransom is extremely low. Additionally, Ryuk whitelists major applications like Google Chrome and Windows so the user can continue to operate on the computer while the system remains stable. According to the FBI, the hackers received a record-breaking $61 million USD in ransom over a 21-month period from 2018 through 2019. Unfortunately, Ryuk will infect thousands more networks and hospitals in the near future based on the current events in 2020.

On October 28 of 2020, one of the largest ransomware attacks on a hospital propagated through the University of Vermont Medical center when the Ryuk ransomware hacked all 5,000 computers in the network. Currently, UVM is paying almost $1.5 million USD in recovery funds every day and may lose up to $63 million USD by 2021. The ransomware shut down the clinical trials and treatment studies for the Coronavirus vaccine while encrypting the patient records.

Many patients were forced to reschedule their appointments even if the symptoms shown became severe. For example, Sean McCaffrey, one of the patients whose records were afflicted by the ransomware, scheduled an appointment with a cardiologist on the night of the hacking due to his chest pain and did not receive any information about rescheduling. Experts fear that the encryption of the hospital records and files may lead to fatalities in the near future. Unfortunately, ransomware may not only encrypt the files but also leak private company and patient info on to the internet. Consequently, the medical center may instead pay the ransom fee in hopes of recovering the encrypted files. Delayed treatment of patients due to the ransomware’s encryption can beget many additional casualties in the future, so hospitals and medical centers must enhance their security system immediately.

Even though companies can familiarize their employees with the signs of phishing attacks, the occurrence of an associate’s clicking on the fraudulent link is inevitable; thus, we must find solutions that can avert serious damage even after the malware is installed. One effective method is to backup all of the secure and important data files onto an offline server. Once the hacker installs the malware on to your computer, all the files are encrypted and cannot be accessed until the ransom is paid. However, by creating a backup of the files on a separate server, employees can continue to access the encrypted data on a separate computer.

Unfortunately, if the backup is not a separate device or connected to an offline server, the ransomware will also encrypt the files stored on the backup. It is recommended to conceal the files on a separate USB because it can still be accessed if connected to another computer. Another way to ensure a secure network is to constantly run antivirus scans to guarantee that your system is up-to-date. Security scans can sometimes detect different malware attacks and attempt to fix it before any significant damage ensues. After backing up the files and running continuous security scans on the computers, companies should separate each computer into different wifi networks instead of utilizing the same network for each device. Once the Ryuk ransomware is installed on one computer, all of the devices connected to the network are infected; hence, all major companies and medical centers like UVM should ensure that some of the 5,000 computers are connected to different networks.

With technology evolving, ransomware becomes more dangerous and advanced every day. Therefore, companies and employees must prepare by making use of the security systems provided.

(1): Phishing is one of the most common ways a hacker can obtain private information and it is done by sending emails containing a fraudulent link, disguised as a trustworthy source. For example, the sender could disguise themselves as a real bank, but the email will contain either a misspelling or grammar mistake.