Getty Images/iStockphoto

Ransomware ramps up against private sector in November

Ransomware disclosures and reports increased again in November, with the most disruptive and dangerous attacks occurring against healthcare organizations.

Ransomware attacks continued to ravage the private sector last month, causing significant disruptions to healthcare organizations as one victim suffered its second attack in one month and another was forced to divert emergency care.

TechTarget Editorial tracks publicly disclosed and reported ransomware attacks against U.S.-based organizations and found 38 disclosures for November, with a majority affecting the private sector. In past months, attacks largely targeted the public sector or saw a more even distribution. The increase in private sector ransomware victims comes after the U.S. Securities and Exchange Commission imposed a four-day reporting deadline for public companies and charged SolarWinds for misleading investors.

Many attacks last month caused severe disruptions and damage. One of the biggest ransomware attacks occurred against Tennessee-based Advent Health Services on Thanksgiving Day.

In a statement on November 27, Ardent confirmed it was hit by ransomware on Nov. 23 and subsequently notified law enforcement and hired third-party incident responders. After detecting the attack, Ardent forced systems offline, which made several services inaccessible, including its corporate servers as well as clinical and financial operations.

However, that wasn't the worst of it. Disruptions became so severe that multiple Ardent-owned hospitals were forced to divert emergency care.

"Some non-emergency procedures are being rescheduled. Additionally, some of Ardent's hospitals are currently operating on divert, which means hospitals are asking local ambulance services to transport patients in need of emergency care to other hospitals," Ardent wrote in the statement. "This ensures critically ill patients have immediate access to the most appropriate level of care.

Ardent includes 30 hospitals, more than 200 healthcare sites and more than 20,000 employees across six states. Hospitals in multiple states were forced to divert ambulances because of the ransomware attack, according to media reports. That included the hospital network known as UT Health East Texas; Lovelace Health system in Albuquerque; and two New Jersey-based hospitals, Hackensack Meridian Pascack and Valley Medical Center.

CNN reported the attack also forced Ardent employees to revert to pen and paper. Additionally, the CNN story said CISA warned Ardent of "malicious cyber activity affecting its computer systems" on Nov. 22 as part of a ransomware outreach program to help critical infrastructure organizations.

In an update on November 30, Ardent said a "vast majority" of its clinics resumed operations and that all 25 emergency rooms were accepting patients by ambulance. However, the hospital and its subsidiaries are not in the clear yet. Some non-emergency procedures remained "temporarily paused" as Ardent worked to bring systems back online.

"In some cases, we continue to ask local EMS services to transport patients in need of certain emergency care, such as stroke or trauma care, to other area ERs," the statement said.

In response to the ransomware attack, Ardent said it implemented additional technology security protocols and is investigating the extent of affected data.

Possible dual ransomware attack

New York-based healthcare giant Henry Schein was another notable healthcare victim last month, and not just for the network disruptions it experienced. Henry Schein was also included in TechTarget Editorial's October ransomware roundup for an attack it disclosed on October 15. Now it appears the BlackCat ransomware gang struck again in just one month.

In a statement published on its investor relations page on Nov. 22, Henry Schein said its ecommerce site was down following a cybersecurity incident. An update on Nov. 27 revealed the healthcare organization restored its ecommerce platform in the U.S., but Canada and Europe would take additional time.

Security Week reported that BlackCat may have hit Henry Schein again just as it was recovering from the October attack because of stalled negotiations. Earlier this month, CISA warned of an increase in dual ransomware attacks where victims suffer simultaneous attacks.

BlackCat claimed responsibility for another attack this month against Florida-based Fidelity National Financial, Inc. (FNF), which provides title insurance and transaction services to real estate and mortgage industries. FNF disclosed a cybersecurity incident in an 8-K form on Nov. 19. While details were vague, FNF said the attack affected certain systems and confirmed an investigation was ongoing.

On Nov. 29, FNF filed another 8-K form stating the "incident was contained" on Nov. 26. TechCrunch reported that the breach affected scheduled closings and forced FNF to shut down all systems, including email.

While the private sector took the brunt of the attacks disclosed November, ransomware groups continued to target municipalities and schools. Six victims came from the education sector, including Newfound Memorial Middle School in Bristol, N.H. In a statement to the school's website on Nov. 28, principal Chris Ulrich described the fallout as "significant." Network access was affected, with some staff unable to access computers at all.

Utility company North Texas Municipal Water District, which provides services to more than 1.6 million people, was another notable public sector victim. On Nov. 28, The Record shed light on the ongoing cybersecurity incident that caused operational disruptions including phone systems. It's unclear when the attack started, but The Record revealed most services were restored as of Nov. 28. The Daixin ransomware group later claimed responsibility for the attack.

Arielle Waldman is a Boston-based reporter covering enterprise security news.

Next Steps

The Change Healthcare attack: Explaining how it happened

Dig Deeper on Data security and privacy

Enterprise Desktop
Cloud Computing