‘Zombie’ Ryuk ransomware group returns from the grave | SC Media

‘Zombie’ Ryuk ransomware group returns from the grave | SC Media

A resurgence of the so-called UNC 1878 hacking group has emerged, most recently linked to a string of ransomware attacks on hospitals. (Source: FBI)

The so-called UNC 1878 hacking group, which is reportedly behind a string of ransomware attacks on hospitals, seems to have risen from the dead, again using its malware family of choice, Ryuk.


Reuters reported Wednesday that the FBI is investigating a wave of ransomware attacks currently underway against hospitals across the U.S. and other countries that are tied to UNC 1878. This news came the same day as research from Mandiant, stating one out of every five ransomware attacks the company responds to are from Ryuk malware family, while one out of every five of those attacks was carried out by UNC 1878.


It also comes after researchers at Check Point said earlier this month that an average of 20 organizations have been attacked with Ryuk ransomware every week since July, and other threat firms like Kaspersky have estimated that a business is attacked by ransomware every 40 seconds. UNC 1878’s modus operandi plays into both of those trends, leveraging Ryuk and other tools for speedy attacks against a high volume of targets.


“The best way to summarize UNC 1878 as we know it today would be based on two key themes: speed and scale,” said Van Ta, a senior threat analyst on Mandiant’s FLARE team on an Oct. 28 webcast hosted by the SANS Institute.


Interestingly, however, recent activity comes after an extended lull. Mandiant tracked “prolific” Ryuk-enabled intrusions coming from UNC 1878 in late 2019 and early 2020. Then in March, everything went quiet. For the next five months, researchers didn’t see a single incident tied to UNC 1878, a ..