The Ruthless Hackers Behind Ransomware Attacks on U.S. Hospitals: ‘They Do Not Care’

The Wall Street Journal tracked the most disruptive attacks to one group: a notorious gang of Eastern European cybercriminals once called the “Business Club,” with ties to Russian government security services, according to threat analysts and former law-enforcement officials who closely follow Eastern European cybercrime operations.

Now known by many researchers as Ryuk, after its signature software, it is the most prolific ransomware gang in the world, accounting for one-third of the 203 million U.S. ransomware attacks in 2020, according to cybersecurity firm SonicWall. Ryuk ransomware collected at least $100 million in paid ransom last year, according to the bitcoin analysis firm Chainalysis.

The group targets large organizations with deep resources, breaking into their networks and installing malicious software that locks every file on every computer with an encryption key, essentially an uncrackable password. Ryuk routinely extracts six- and seven-figure payments from victims in exchange for revealing the encryption key, according to security companies tracking the group.

The Ryuk gang has hit at least 235 general hospitals and inpatient psychiatric facilities, plus dozens of other healthcare facilities in the U.S. since 2018, when security researchers first spotted them, according to a Journal review of the attacks through interviews with hospital officials and security analysts, public statements and court documents.

Hospitals are especially lucrative targets because many have lax cybersecurity controls, and the business of life and death is highly vulnerable to extortion. Some ransomware gangs avoid them over fears of killing people, or can be persuaded to turn over the encryption key when lives are at stake, according to people who have negotiated with the attackers.

Not so with Ryuk.

“They do not care. Patient care, people dying, whatever. It doesn’t matter,” said Bill Siegel, CEO of the ransomware recovery firm Coveware. “Other groups you can at least have a conversation. You can tell them, ‘We’re a hospital, someone’s going to die.’ Ryuk won’t even reply to that email.”

Inquiries from the Journal to email addresses used in some of the Ryuk attacks went unanswered. The Russian government has denied recruiting hackers.

The targeted assault on hospitals during a global public-health crisis exposed troubling gaps in cyber protections for the nation’s health system, risking catastrophic consequences. Hospitals now depend heavily on computers after an aggressive push in the last dozen years to digitize patient records and as manufacturers increasingly add features to connect medical devices over computer networks.

In October, the Federal Bureau of Investigation and other U.S. agencies said the incidents represented an “increased and imminent” threat.

FBI Director Christopher Wray said the agency is now investigating about 100 different types of ransomware, many of which trace back to hackers in Russia, and compared the current spate of cyberattacks with the challenge posed by the Sept. 11, 2001, terrorist attacks.

Last month, an attack by the Russian group known as DarkSide led to paralysis of the main pipeline supplying gasoline and diesel fuel to the U.S. East Coast. Last week, another Russian group called REvil upset beef production in the U.S. and Australia with its ransomware attack on the world’s largest meat company, JBS USA Holdings Inc. The company acknowledged paying an $11 million ransom to avoid further disruption.

Security researchers say Ryuk grew out of the larger organization called the Business Club, whose leaders have been in a game of cat-and-mouse with U.S. authorities since at least 2007. The Business Club began by creating malware that could transfer money out of a consumer’s bank account by waiting until the victim logs in to their bank’s website and then secretly hijacking the connection.

The Business Club splintered into two factions in late 2013 following a rift between the heads of the organization’s software-development division and its money-laundering operations, according to former FBI agent J. Keith Mularski, a managing director in Ernst & Young’s cybersecurity practice, who investigated the group.

As banks evolved more robust defenses, both factions pivoted into ransomware. One group began signing their ransom demands as the fictional character Ryuk from the Japanese manga series Death Note. Others have called the gang variously the Trickbot Group, Wizard Spider, UNC1878 and Team9.

Ryuk negotiates with victims using disposable webmail accounts and speaks with a single, consistent voice, terse and to the point, and offering no hint of a personality, according to consultants who have negotiated with the hackers.

“I don’t think I’ve ever had a conversation with Ryuk that was over a sentence or two,” said Tony Cook, head of threat intelligence at GuidePoint Security. Mr. Cook said he has dealt with Ryuk in 15 ransomware cases, four of them hospitals. “You don’t have a lot of wiggle room with them,” he said.

In some negotiations, he complained to the hackers that his clients couldn’t afford to pay the ransoms, which he said ranged from $250,000 to $1.4 million. “They’ll respond back with financial documents in their email and say, ‘Yes you can.’ ” He wouldn’t disclose how many of his clients paid the hackers.

The group mostly targets large organizations—“big game hunting” in the ransomware world. Ryuk’s victims include Fortune 500 company EMCOR Group Inc. and shipping and postage provider Pitney Bowes, which suffered dayslong service outages in a Ryuk attack in 2019 according to company statements, but also a chain of pet hospitals, and public schools in multiple states.

The gang hit three hospitals owned by DCH Health System in western Alabama in late 2019, according to public statements and court filings from DCH. The attackers shut down vital computer systems for care, including record-keeping and admissions.

When Sheneka Frieson arrived to DCH’s Northport Medical Center emergency room during the event, a nurse said they wouldn’t be able to see her sick niece for hours “due to ransomware.”

The 7-year-old had suffered an allergic reaction to some food, and her face was covered with red splotches and her eyes swollen shut, Ms. Frieson said.

Ms. Frieson took her niece home and treated her with an over-the-counter allergy medicine.

DCH negotiated a ransom with Ryuk and got their systems back up online nine days after the attack began, according to public statements and court documents.

Ms. Frieson and six other patients sued DCH for negligence related to the attack. Ms. Frieson said she settled the case with the hospital last month.

DCH didn’t respond to requests for comment.

A Ryuk attack last September on Universal Health Services Inc., one of the largest U.S. hospital chains, forced the company to simultaneously shut down computers that store patients’ medical records, laboratory results and medication orders across roughly 250 hospitals, free-standing emergency rooms and other outpatient centers. Recovery took weeks. The company said it didn’t pay a ransom in the attack, which cost it $67 million last year before taxes from lost revenue and higher labor expenses to restore its networks, according to Securities and Exchange Commission filings.

The shutdown hit Las Vegas especially hard, where Universal Health operates about one-third of the city’s general hospitals.

“We do not have plans in the books for the long-term closure of that capacity,” said Carolyn Levering, the city’s emergency manager.

Las Vegas doctors traded confused and urgent text messages and calls as hospital computers across the city unexpectedly shut down, said Dr. Shivesh Kumar, founder of Reliant Physicians, a Las Vegas medical group. Doctors couldn’t look up patient-transfer records. “No one knew where the patients were,” Dr. Kumar said.

Universal Health declined to comment.

In late October, Ryuk shut down two hospital systems’ networks in New York and Oregon, officials said.

The attack left doctors and nurses without the stream of data to electronic health records to alert doctors of a dangerous turn in patients’ breathing or blood pressure, said John Gaede, director of information services at Sky Lakes Medical Center in Klamath Falls, Ore. They instead relied on bedside monitors.

“It was brutal,” he said.

Mr. Gaede said Sky Lakes, which refused to pay the ransom, was forced to rebuild its network of servers from scratch. The hospital didn’t restore the digital medical records for 23 days.

“Knowing what I know now—even as disruptive as it was—I still would not pay the ransom,” said Sky Lakes Chief Executive Officer Paul Stewart. He said he believed it was a bad idea to negotiate with criminals, who cannot be trusted.

Caught in the middle was Ron Jackson, a 75-year-old with an aggressive brain tumor. The attack on Sky Lakes came just as he was scheduled to begin radiation treatments, which his surgeon had said needed to start immediately.

Instead, Mr. Jackson’s treatments were delayed two weeks and moved to a hospital two hours away—a trip he had to make daily.

The ordeal traumatized Mr. Jackson and his wife, Sherry Jackson, 74, who had to drive him to his treatments. “It was our whole life,” she said. “It was all we did. It was a lot of extra stress.” Nevertheless, the couple said they agreed with the hospital’s decision not to pay ransom.

On the same day as the Sky Lakes attack, the gang hit three-hospital St. Lawrence Health, according to a spokeswoman, including Canton-Potsdam Hospital, the only trauma center in St. Lawrence County, N.Y.

The attack forced ambulances to bypass the hospital, leaving emergency crews a 90-minute drive should they need similar services, said Matthew Denner, director of emergency services for the county. No major traumas occurred before Canton-Potsdam reopened. “We were lucky,” Mr. Denner said.

The U.S. government and international law-enforcement agencies have worked with private-sector technology firms to take down Ryuk’s “botnets”—the undulating mass of thousands or millions of hacked computers that the organization controls at any given time.

On June 4, the Justice Department announced a 47-count indictment against seven alleged members of the organization for the electronic bank thefts that were the group’s mainstay before it moved to ransomware. One defendant, described by officials as a 55-year-old Latvian woman who used the screen name “Max,” was arrested in Florida while traveling in February. The identities of five Russian nationals and a Ukranian defendant remain under seal.

And in 2019, the U.S. Treasury Department levied financial sanctions on alleged Business Club member Maksim Yakubets, saying he has been “working for the Russian FSB” since at least 2017 and in 2018 “was in the process of obtaining a license to work with Russian classified information from the FSB.”

Mr. Yakubets, along with another alleged Business Club member, Evgeniy Bogachev, are wanted in the U.S., with a total $8 million in reward money offered for their capture. No contact information could be found for either man.

Experts say the hackers shorten their recovery time with each setback. In the most recent takedowns last September, the U.S. Cyber Command and Microsoft each targeted the botnet used to distribute the Ryuk ransomware, fearful it could be used to interfere in the 2020 general election. The hackers rapidly rolled out a major rewrite of the botnet code that made it more resilient by blocking unauthorized updates.

Most recently, the botnet has been spotted installing an alternative strain of ransomware, known as Conti. Security experts believe the Ryuk gang has been renting this new strain of software out to other hackers in exchange for a percentage of the profits.

Last month, Conti was used in devastating attacks on Ireland’s public-health infrastructure and 16 targeted attacks on U.S. emergency responders, including hospitals and 911 call centers, according to the FBI.

Write to Kevin Poulsen at [email protected] and Melanie Evans at [email protected]