Ransomware Activity Targeting the Healthcare and Public Health Sector (Update 1)

Healthcare and Public Health Sector Notification

Ransomware Activity Targeting the Healthcare and Public Health Sector (Update 1)

This email is from the the Division of Critical Infrastructure Protection (CIP) within the U.S. Department of Health and Human Services, Office of the Assistant Secretary for Preparedness and Response. For more information, e-mail CIP@hhs.gov or to subscribe to our email newsletters, visit our website.

Traffic Light Protocol (TLP) Designation: GREEN

Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP: GREEN information may not be released outside of the community.

Situation Update

The Department of Health and Human Services (HHS), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers. CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats.

Updated Alert Now Available


CISA, FBI, and HHS have updated Alert AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector to include the latest threat information. Specifically, the advisory was updated to include information on Conti, TrickBot, and BazarLoader, including Indicators of Compromise (IOCs) and Yara Rules for detection. The advisory describes the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health Sector (HPH) to infect systems with Ryuk ransomware for financial gain.

Additional Resource


The UK National Cyber Security Centre (NCSC) released an Advisory on Detecting and Mitigating Cobalt Strike. This threat advisory provides information derived from NCSC and industry analysis for the detection of Cobalt Strike, a red teaming and penetration testing framework commonly misused by threat actors to carry out cyber intrusions. The advisory provides prevention, detection, and mitigation strategies for network administrators.

Upcoming HPH Sector Coordination Calls

At this time, there is not an HPH Sector Coordination Call scheduled.

Reporting Incidents

Contacting FBI:

To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at www.fbi.gov/contact-us/field-offices, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov.

Please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.

Contacting CISA:

To request incident response resources or technical assistance related to these threats, contact CISA at Central@cisa.dhs.gov.

Contacting the U.S. Food and Drug Administration:

In general, if you think you had a problem with your medical device or a medical device your patient uses, the FDA encourages you to report the problem through the MedWatch Voluntary Reporting Form.

For urgent matters, such as potential medical device impacts related to a cyber attack affecting your hospital system, please contact CyberMed@fda.hhs.gov.

DISCLAIMER: This product is provided “as is” for informational purposes only. The Department of Health and Human Services (HHS) does not provide any warranties of any kind regarding any information contained within. The HHS does not endorse any commercial product or service referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking noted above.

You are receiving this information because you previously signed up for an ASPR CIP mailing list. If you do not want to receive communications from ASPR CIP or the HPH Sector, you can unsubscribe using the link at the bottom of this message.

U.S. Department of Health & Human Services, Office of the Assistant Secretary for Preparedness & Response
200 C Street, SW
Washington, DC 20024