Russian hackers attack hospital cloud storage vendor with Ryuk ransomware, demand $14 million

Talking about the numbers of machines infected, Karen Christianson, CEO, VCPI has mentioned that a total of 80000 computers got compromised

A group of Russia based hackers have created havoc by leveraging a ransomware attack on a Cloud storage provider and asked worth a whopping $14 as ransom money. The company called Virtual Care Provider Inc. (VCPI) offers cloud data storage for over hundreds of nursing home based in the Milwaukee, US.

Besides using the infamous Ryuk ransomware for encrypting the system, the attackers also used a virus dubbed TrickBot for getting into the system. After the servers got infected, VCPI has plugged out its entire system from the internet, affecting hundreds of nursing homes operation. These nursing homes were dependent on VCPI for storing relevant business data including patient history, employee payroll, inventory and medication database.Virtual Care Provider

How big was the attack?

VCPI has explained that one-fifth of its servers are infected with Ryuk ransomware. Talking about the numbers of machines infected, Karen Christianson, CEO, VCPI has mentioned that a total of 80,000 computers got compromised.

Ryuk vcpi attack
VCPI published a press release immediately after the attack Screengrab/IBT SG

Executed over 14 months

A security expert from Milwaukee has reportedly said that a group of Russian hackers has been sending phishing emails to employees for 14 months before launching the massive attack. Once someone clicked on any such links, it offered a foothold to the hackers. Once they entered into the system, the hackers removed the installed security software and reigned over the network, he added.

What is Ryuk, and how does it work?

The Ryuk ransomware is a refurbished version of Hermes, and it requires a malware dropper for infecting a system. After getting into the network, the ransomware encrypts everything except system files (dll, exe) and a log file with an extension of hrmlog. It also disables the Windows restore function to ensure the victim can't restore the system. The Ryuk ransomware has been used in many enterprise attacks recently to help the cybercriminals to snitch millions in ransom from the victims.

Representative image Reuters