The Ryuk ransomware is suspected to be the culprit.

A ransomware attack has shut down Universal Health Services, a Fortune-500 owner of a nationwide network of hospitals.

The attack occurred in the wee hours of the morning on Monday, according to reports coming in from employees on Reddit and other platforms.

On Reddit, a discussion with hundreds of comments indicated that many UHS locations were indeed down and requiring a return to manual processes.

“It was an epic cluster working ‘old school’ last night with everything on paper downtime forms,” one posted said. “It is true about sending patients away (called EMS diversion) but our lab is functional along with landlines. We have no access to anything computer based including old labs, EKGs or radiology studies. We have no access to our PACS radiology system.”

Another wrote, “UHS psych Georgia we’re definitely down. We are having to handwrite everything! We’re not allowed to turn computers on either.”

Meanwhile, one person told TechCrunch that “Everyone was told to turn off all the computers and not to turn them on again,” the person said. “We were told it will be days before the computers are up again.”

In an official statement given out on Monday, UHS noted: “The IT Network across Universal Health Services (UHS) facilities is currently offline, due to an IT security issue. We implement extensive IT security protocols and are working diligently with our IT security partners to restore IT operations as quickly as possible. In the meantime, our facilities are using their established back-up processes including offline documentation methods. Patient care continues to be delivered safely and effectively.”

It added, “No patient or employee data appears to have been accessed, copied or otherwise compromised.”

Reddit thread discussing the attack. Click to enlarge.

While UHS didn’t mention what kind of attack it suffered, other information coming from workers seems to point to the Ryuk ransomware as the culprit. An employee told BleepingComputer for instance that encrypted files are being appended with the .RYK extension; and, a ransom note that showed up on all affected computers referenced the phrase “Shadow of the Universe,” which is known to be included in Ryuk ransom notes.

Threatpost reached out to UHS for further comment.

Some on Reddit floated the specter of patients dying because of a lack of care, with an original poster stating (without evidence) that “four people died” as a result of the attack, because patient care was delayed.

“One of the busiest hospitals in the region is currently sending away all ambulances to different smaller hospitals because of this, and they themselves are losing patients while they are waiting for lab results to be delivered by courier….four people died tonight alone due to the waiting on results from the lab to see what was going on,” the post reads.

This is a similar situation to an incident this month at a Dusseldorf University hospital, where a ransomware attack resulted in emergency room diversions to other hospitals. According to a report by the NRW Minister of Justice, a patient died who had to be taken to a more distant hospital in Wuppertal because of the attack on the clinic’s servers. An investigation has been opened.

Some employees said they wouldn’t be surprised if patient care were impacted, despite the hospital system’s assurances.

“No patients died tonight in our ED but I can surely see how this could happen in large centers due to delay in patient care,” one poster said.

Another wrote, “I work at a UHS facility in Tucson and our sh*t is definitely down. They won’t even let us turn the computers on for going on over 24 hours. We’re a psych hospital so no one is dying from not getting their lab results back in time, but if the same thing happening to us is going on at any of UHS’s medical facilities then I can well imagine people dying.”

Again, there’s no confirmation that patient safety was compromised, let alone deaths, but the news does come as ransomware continues to explode. A report out from IBM X-Force found that this month, one in four observed attacks have been caused by ransomware.

“It is sad to see that despite hackers’ claims to stop healthcare cyber-attacks during COVID-19 crisis, such attacks still take place,” said Ilia Sotnikov, vice president of product management, Netwrix. “Ransomware attacks are especially disastrous for healthcare as they block access to IT systems and patient data in hospitals, leading to inability to treat people, and might eventually cost lives. Yet, the recent Netwrix 2020 Cyber Threats Report has found that every third healthcare organization experienced a ransomware attack during the past few months, which is the highest result among all the verticals. Reason for such high rates is easy: healthcare sector is an easy target for hackers, giving the shortage of resources, legacy systems and the  pressure that the sector faces in the current situation.”