Hundreds of American hospitals are being targeted in cyberattacks by the same Russian hackers who American officials and researchers fear could sow mayhem around next week’s election.
The attacks on American hospitals, clinics and medical complexes are intended to take those facilities offline and hold their data hostage in exchange for multimillion-dollar ransom payments, just as coronavirus cases spike across the United States.
“We expect panic,” one hacker involved in the attacks said in Russian during a private exchange on Monday that was captured by Hold Security, a security company that tracks online criminals.
Some hospitals in New York State and on the West Coast reported cyberattacks in recent days, though it was not clear whether they were part of the attacks, and hospital officials emphasized that critical patient care was not affected.
The Russian hackers, believed to be based in Moscow and St. Petersburg, have been trading a list of more than 400 hospitals they plan to target, according to Alex Holden, the founder of Hold Security, who shared the information with the F.B.I. Mr. Holden said the hackers claimed to have already infected more than 30 of them.
On Wednesday, three government agencies — the F.B.I., the Department of Health and Human Services and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency — warned hospital administrators and security researchers about a “credible threat” of cyberattacks to American hospitals, according to a security executive who listened to the briefing.
Officials and researchers did not name the affected hospitals, but Sonoma Valley Hospital in California said it was still trying to restore its computer systems after an intrusion last week. St. Lawrence Health System in New York confirmed that two of its hospitals, Canton-Potsdam and Gouverneur, were hit by ransomware attacks Tuesday morning that caused them to shut down computer systems and divert ambulances. Sky Lakes Medical Center in Oregon was also crippled by a ransomware attack Tuesday that froze electronic medical records and delayed surgeries, a hospital representative said.
Employees at that hospital, in Klamath Falls, Ore., were told, “If it’s a P.C., shut it down,” said Thomas Hottman, the public information officer at Sky Lakes.
It was unclear whether those attacks were related to the hacking campaign underway. But the latest breaches were linked to the same Russian hackers who held Universal Health Services, a giant network of more than 400 hospitals, hostage with ransomware last month in what was then considered the largest medical cyberattack of its kind.
The hackers are also the same group behind TrickBot, a vast conduit for ransomware attacks that government hackers and technology executives have targeted in two takedowns over the past month.
In late September, United States Cyber Command started hacking into TrickBot’s infrastructure in an effort to disable it before the election. Microsoft also started taking down TrickBot servers via federal court orders over the past month. The goal of both efforts, officials and executives said, was to pre-empt ransomware attacks on the election that could disrupt voting or create delays that would undermine confidence in the election.
But researchers said those takedowns had an unintended effect: cutting off security sleuths’ access to the hackers. “The challenge here is because of the attempted takedowns, the TrickBot infrastructure has changed and we don’t have the same telemetry we had before,” Mr. Holden said.
The latest campaign on American hospitals suggests that TrickBot’s developers are undeterred. It also shows they are moving to different hacking methods and tools.
“They don’t need TrickBot because they have an entire arsenal of other tools that they can use,” said Kimberly Goody, an analyst at Mandiant, a division of the digital security company FireEye.
Ms. Goody said the tools used in the latest hospital attacks emerged for the first time in April and were not as well known, making them more effective.
It was not clear whether the latest hospital attacks were retaliation for the TrickBot takedowns. Microsoft said it took offline more than 90 percent of the TrickBot servers.
Mr. Holden described the group as a “wounded animal” and said the latest attacks were not as well-planned as previous ones. They were also a notable departure from an agreement among ransomware groups in March not to target hospitals because of the coronavirus pandemic, he said.
“We now have more sick people in this country than we had in March and April,” Mr. Holden said. “This is wrong.”
By targeting hospitals now, Ms. Goody said, the hackers were “demonstrating a clear disregard for human life.”
The hackers also made higher ransom demands of hospitals than they have in previous attacks. In one attack on an unnamed private clinic, Mr. Holden said, the hackers held systems hostage for the Bitcoin equivalent of more than $5 million, more than double the typical ransom the group asked for months earlier.
The hackers, Mr. Holden said, used to base those demands on an old Russian formula, charging 10 percent of a victim’s annual revenue.
“There is an old Russian tradition to give 10 percent of annual revenue to the church,” he said. “This is the hackers’ way of doing the same.”
Reed Abelson contributed reporting.
