Universal Health Services (UHS), one of the largest healthcare providers in the U.S. that has 400 hospitals and healthcare facilities in the U.S. and the U.K has reportedly been hit by a ransomware attack.

The attack that took place last Sunday has forced the IT stuff to shut down computer systems to prevent the propagation of the threat on all devices. Due to the incident the UHS’ employees in facilities in California, Florida, Texas, Arizona, and Washington D.C have been left without access to computers and phone systems. As a result, the impacted hospitals had to redirect ambulances and patients in need of the surgery to nearby hospitals.

In a short statement UHS has confirmed the cyber attack, but has not released any details regarding the incident. According to multiple reports from UHS’ employees, systems at some of the UHS hospitals rebooted displaying a ransomware note.

“I have worked at a UHS facility in the SE US for over 7yrs and on Sunday morning at approx 2AM systems in our ED just began shutting down. I was sitting at my computer charting when all of this started. It was surreal and definitely seemed to propagate over the network. All machines in my department are Dell Win10 boxes. When the attack happened multiple antivirus programs were disabled by the attack and hard drives just lit up with activity. After 1min or so of this the computers logged out and shutdown. When you try to power back on the computers they automatically just shutdown,” according to one of the reports. “It was an epic cluster working "old school" last night with everything on paper downtime forms. It is true about sending patients away (called EMS diversion) but our lab is functional along with landlines. We have no access to anything computer based including old labs, ekg's, or radiology studies. We have no access to our PACS radiology system.”

Another report said that when the attack started “multiple antivirus programs were disabled by the attack and hard drives just lit up with activity.”

Some reports posted online revealed that the ransomware added the “.ryk” extension to the filenames of encrypted documents, which suggests the involvement of the Ryuk ransomware. Ryuk is a ransomware strain believed to be linked to a Russian cybercrime group, known as Wizard Spider. The Ryuk operators have been quiet for months, but have recently returned to their normal activity.