Ransomware Attack on UMC Health System a National Security Issue
Date:
September 30, 2024
The University Medical Center Health System is currently dealing with a ransomware attack that has severely impacted its operations. As of Friday evening, the hospital continues to face an IT outage resulting from the cyberattack, which began on Thursday.
The attack forced the hospital to divert both emergency and non-emergency patients arriving via ambulance to other nearby facilities due to the compromised state of its internal systems, causing delays in patient care.
John Riggi, the National Advisor for Cybersecurity and Risk at the American Hospital Association (AHA) and a former FBI agent, has voiced significant concerns about the implications of this attack.
“This is a national security issue,” Riggi told KCBD, emphasizing the potential danger such attacks pose to public safety. He elaborated that the hospital is the only Level 1 trauma center within a 400-mile radius, making the situation even more critical.
“When hospitals are attacked, lives are threatened. When you have the only Level 1 trauma center in the region shut down by foreign bad guys, you are putting people’s lives in jeopardy,” Riggi said.
According to Riggi, the primary perpetrators of these ransomware attacks are Russian organized crime gangs, often operating under the protection of the Russian government.
“Quite frankly, they are provided safe harbor by the Russian government to conduct these attacks against the United States’ critical infrastructure and against western nations,” Riggi noted.
He also indicated that recent U.S. intelligence has revealed collaboration between Russian ransomware groups and other nation-state actors, such as Iran, to target American institutions.
Riggi highlighted the challenges faced by the FBI and other authorities in countering these foreign-based attacks, which complicates efforts to bring the perpetrators to justice.
“No individual hospital, as good as they are, can defend against these very sophisticated nation state sponsored attacks,” Riggi added, calling for stronger federal intervention similar to the counter-terrorism efforts.
The process of a ransomware attack typically involves multiple phases. Initially, hackers infiltrate the network, often selling access to other criminal groups that carry out the actual attack.
“There is a whole industry, particularly in Russia, around perpetrating these ransomware attacks,” Riggi explained. Once inside, criminals typically steal patient health information and attempt to shut down the hospital’s technology systems, paralyzing essential medical services.
UMC has enlisted the help of third-party cybersecurity firms to address the attack and restore services, but no specific timeline has been provided for full recovery.
The hospital remains partially operational, with certain departments still on downtime procedures. Riggi estimates that recovery from such a high-level attack could take up to 30 days.
Takeaway: Between 2016 and 2021, researchers found that ransomware attacks contributed to the deaths of between 42 and 67 patients, while also causing a 33% increase in death rates per month for hospitalized Medicare patients.
This disturbing trend signals that ransomware attacks are no longer just a matter of cybercrime but have no doubt crossed the threshold into national security territory. This shift is particularly apparent when critical infrastructure, the Defense Industrial Base, and healthcare providers are being targeted.
Cybercriminal activity is typically managed by law enforcement agencies, which investigate, collect evidence, and prosecute offenders when possible. However, when these attacks begin to disrupt essential services or endanger human lives, they may warrant a more forceful response.
If some subset of ransomware attacks is reclassified as a threat to national security, the rules of engagement change, allowing for potential offensive actions that are both appropriate and proportional to the threat posed.
Given the dual nature of some ransomware campaigns, where they likely serve both financial goals of the attackers and the geopolitical goals of their host nation, the US must consider these attacks through a new lens.
The deep involvement of rogue governments like Russia in either directly sponsoring or providing a safe haven for ransomware gangs is obvious. Evidence indicates that a significant number of ransomware operations can be linked back to Russia.
A report by Chainalysis found that 74% of the illicit revenue generated by ransomware in 2021 went to Russia-linked attackers, highlighting the extent of their involvement.
This suggests that some ransomware operations might be serving not just criminal, but also state interests, effectively blurring the line between cybercrime and state-sponsored terrorism.
Until the U.S. and its allies take more direct action against these regimes, such as imposing sanctions, the onslaught of ransomware attacks is likely to continue unabated.
If the Putin regime is indeed influencing the targeting of these attacks, especially against healthcare organizations where lives are on the line, then there’s a strong case to be made for reclassifying these incidents as acts of state-sponsored terrorism or the equivalent.
Such a reclassification would not only provide clarity but also unlock a broader set of response options, including offensive cyber operations or even traditional military responses. In August, the Senate Intelligence Committee introduced a significant new measure to combat ransomware by treating it on the same level as terrorism.
The proposal, sponsored by Committee Chairman Mark Warner (D-Va.), aims to tackle the growing threat of ransomware attacks through a multi-faceted approach.
The bill proposes classifying ransomware gangs as “hostile foreign cyber actors,” and designating countries that harbor these groups as “state sponsors of ransomware,” which would subject them to sanctions.
Additionally, the legislation seeks to grant the U.S. intelligence community expanded legal authority to target these cybercriminals, elevating ransomware to the status of a national intelligence priority.
This would represent a major shift in policy, as it would be the first U.S. law that explicitly links ransomware to terrorism, going beyond the U.S. Justice Department’s current stance of prioritizing ransomware investigations similarly to terrorism cases.
If passed, this bill would mark a significant escalation in the U.S. government’s efforts to address ransomware as both a criminal and national security threat.
Ultimately, it is imperative that the U.S. government, along with its allies, start treating ransomware attacks on critical infrastructure for what they really are—critical threats to national security.
Recognizing these attacks as such will enable a more robust and aggressive response, disrupting both the criminal elements and the hostile state actors that benefit from these attacks.
Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.