Thought leadership. threat analysis, news and alerts.
Hospitals in Different Parts of the World Hit by Ransomware Attacks
Michael Garron Hospital, formerly Toronto East General Hospital, recently confirmed that it was a victim of the ransomware called “Ryuk”, turning the spotlight on this ransomware and on ransomware in general.
Sarah Downey, President and CEO of Michael Garron Hospital, in a statement, said that last September 25th, the hospital became aware of a malicious software (malware), later identified as Ryuk, had infected the hospital’s servers. As a result of the ransomware attack, Downey said that “some data has been damaged” and for the first time in many years, the hospital’s clinical teams were forced to revert back to paper processes and using the telephone to call codes, access porters and check dietary orders.
The President and CEO of Michael Garron Hospital said that as a result of the attack, some of the hospital’s outpatient services were affected, with some appointments canceled and rescheduled. Downey added that the affected servers are being cleansed and it may take a few weeks for some of the hospital’s systems that are less critical to operations to be fully restored. Downey further said that the hospital hasn’t been in contact with anyone about ransom payment.
What Is a Ransomware?
Ransomware is a type of malware that’s designed to deny access to a computer system or data until a ransom is paid. In denying access to a system or data to legitimate users, attackers encrypt the system or data, turning this into a code that’s only accessible by the attackers using decryption keys.
In ransomware attacks, these decryption keys are typically handed over to the victims in exchange for a ransom payment. All too often ransomware attackers victimized organizations that can’t tolerate any downtime, making ransom payment all the more compelling.
Paying the ransom, however, doesn’t guarantee that victims can recover their encrypted systems or data as the decryption keys could simply be designed to not work at all.
What Is Ryuk Ransomware?
Ryuk ransomware was first observed in the wild in August 2018. In June 2019, UK's National Cyber Security Centre (NCSC) issued a Ryuk advisory, warning organizations globally about this ransomware.
Ryuk is often linked with two other malware: Emotet and Trickbot. Emotet was first observed in the wild in 2014, while Trickbot in 2016. In a Ryuk attack, the Emotet malware is used to drop the Trickbot malware. Trickbot, for its part, deploys hacking tools that facilitate the remote monitoring of the victim’s computer, credential harvesting and allowing the attackers to move to other computers within a network.
When ransomware opportunity is present, only then that Ryuk is deployed. It’s, therefore, possible that an organization is initially infected even without visible signs of a ransomware attack.
Prior to installing itself into the affected computer, Ryuk will first attempt to disable certain antimalware or antivirus software. Ryuk has the ability to spread to other computers within the same network as it is designed to enumerate network shares and encrypt those it can access.
According to the NCSC, it’s possible that Ryuk could be deployed through an infection chain other than using Emotet and Trickbot. NCSC added that in a Ryuk attack, it’s difficult to recover the infected computer’s backup as this malware uses anti-forensic recovery techniques such as manipulating the virtual shadow copy.
Other Cases of Ransomware Attacks
Hospitals and healthcare providers are targeted by ransomware attackers as these establishments cannot withstand IT downtime. In recent weeks, in addition to the Michael Garron Hospital, two other hospitals in Canada belonging to the Listowel Wingham Hospitals Alliance (LWHA), Listowel Memorial Hospital and Wingham and District Hospital, had been hit by ransomware.
In a statement, Listowel Wingham Hospitals Alliance said that since last September 26th its IT system has been shut down as a result of a ransomware attack. As a result of the attack, the Alliance said, “Manual and paper downtime procedures remain in place.” The Alliance hasn’t named the specific type of ransomware that hit the two hospitals.
A number of hospitals and health services in Gippsland and south-west Victoria, Australia, meanwhile, has been impacted by a ransomware attack. Victoria's Department of Premier and Cabinet, in a statement, said that the ransomware was uncovered last September 30th.
Last month, a U.S. healthcare provider Wood Ranch Medical announced that will permanently close its practice on December 17, 2019 as a direct result of a ransomware attack. Wood Ranch Medical, in a statement, said that on August 10, 2019, it suffered a ransomware attack on its computer systems. The health provider said that the ransomware, although not naming the specific type of ransomware, encrypted its servers and backup hard drives containing patients’ electronic health records.
“Unfortunately, the damage to our computer system was such that we are unable to recover the data stored there and, with our backup system encrypted as well, we cannot rebuild our medical records,” Wood Ranch Medical said. “We will be closing our practice and ceasing operations on December 17, 2019.”
Last October 1st, DCH Health System, which runs 3 hospitals: DCH Regional Medical Center in Tuscaloosa, Northport Medical Center and Fayette Medical Center, announced that it suffered a ransomware attack that impacted its systems. The specific type of ransomware wasn’t disclosed.
Last October 6th, DCH Health System said that it “obtained a decryption key from the attacker to restore access to locked systems.” The organization didn’t specify whether ransom was paid. There are reports, however, that indicate that DCH Health System paid the attacker ransom.
Organizations large and small fall victims to ransomware too often. Contact us to speak with our cybersecurity experts today to develop a solid protection and mitigation strategy reducing your stress and protecting your organization.
Steve E. Driz, I.S.P., ITCP