PRECURSOR ANALYSIS REPORT: RYUK RANSOMWARE ATTACK ON UNIVERSAL HEALTH SERVICES 2020

The Ryuk Ransomware Attack on Universal Health Services (UHS) 2020 Precursor Analysis Report leverages publicly available information about the 2020 UHS cyber attack and catalogs anomalous observables for each technique employed in the attack. This analysis is based upon the methodology of the Cybersecurity for the Operational Technology Environment (CyOTE) program. UHS manages over 400 hospitals and is one of the largest healthcare providers in the United States with 3.5 million patients each year. On 27 September 2020, UHS suffered a widespread ransomware attack that resulted in a denial of service to critical internet-dependent healthcare systems including workstations, phones, and data centers. Employees resorted to filing patient details with pen and paper, while other facilities had to redirect ambulances and urgent patients to other facilities for adequate care. Adversaries carried out the attack with Ryuk, a ransomware that encrypts data and generates a RyukReadMe.txt ransom note with the ransom fee to decrypt the data, varying from 15 Bitcoin (BTC) to 50 BTC, equivalent to roughly $353,892 to $964,617. UHS did not pay the ransom and was able to recover data through backups, but still reported an impact of $67 million dollars in recovery costs. On 29 October, one month after the attack, UHS made an official statement that their systems had been restored and they were resuming normal operations. Researchers and analysts identified 18 unique techniques (used in a sequence of 19 steps) utilized during the attack with a total of 185 observables using MITRE ATT&CK® for Industrial Control Systems. The CyOTE program assesses observables accompanying techniques used prior to the triggering event to identify opportunities to detect malicious activity. If observables accompanying the attack techniques are perceived and investigated prior to the triggering event, earlier comprehension of malicious activity can take place. Fourteen of the identified techniques used during the UHS cyber attack were precursors to the triggering event. Analysis identified 106 observables associated with these precursor techniques, 82 of which were assessed to have an increased likelihood of being perceived in the 30 days to two hours preceding the triggering event. The response and comprehension time could have been reduced if the observables had been identified earlier. The information gathered in this report contributes to a library of observables tied to a repository of artifacts, data sources, and technique detection references for practitioners and developers to support the comprehension of indicators of attack. Asset owners and operators can use these products if they experience similar observables or to prepare for comparable scenarios.