Hospitals caught up in ransomware

Hey guys,

Crypto-ransomware attacks are out to get hospitals and healthcare networks as a result, the victims have suffered a great deal of disruption.  In hospitals, disruptions can have a much more dire impact than other organisations.

Many hospitals in the US have been infested by crypto-ransomware causing them to bring down systems.  Researchers at Cisco Talos Research discovered a new strain of crypo-ransomware that primarily focused on targets in the healthcare industry.

Recently the Columbian based MedStar Health reported that some systems at its hospitals in Baltimore were shut down due to a malware.

A spokesperson at MedStar said, “MedStar Health’s IT system was affected by a virus that prevents certain users from logging-in to our system. MedStar acted quickly with a decision to take down all system interfaces to prevent the virus from spreading throughout the organization. We are working with our IT and Cyber-security partners to fully assess and address the situation.” No further comments were given by MedStar.

Reportedly a ransom of $17,000 or more was paid by Methodist Hospital in Henderson, Kentucky to restore the hospital’s systems.

In California, two hospitals operated by Prime Healthcare Management, Inc. were forced to shut down systems due to ransomware which disrupted services at several of their other hospitals and at affiliate care providers. It also kept some of the company’s external service providers from accessing systems, and it took some of Prime’s voice-over-IP phone system offline. On March 18, this ransomware infection was first discovered. They presume that the ransomware involved was Locky, which was the same malware that hit Hollywood Presbyterian in February. A spokesperson for Prime asserted that the situation was taken care of without compromising patient safety or any other data and without paying ransom.

New vectors for infection

The ransomware attacks at the Methodist Hospital and Prime has come in via “phishing” e-mails. But Cisco Talos Research says that a number of healthcare providers have been infected recently through Web servers running JBoss.

A Talos researcher said, “This is really one of the first times we’ve seen ransomware spread by a network vulnerability…which is why when we saw all these JBoss alerts popping up that it caught our attention.”

The malware, called “Samsam” by Talos, uses old, very public exploits right out of JexBoss—an open source vulnerability testing tool for JBoss. Once the malware has a foothold on the server, it spreads to Windows machines on the same network.

“I wouldn’t be surprised if this [malware approach] was extended toward WordPress and other content management systems…This is really just the natural progression of ransomware,” he added.

It’s not that attackers are specifically targeting healthcare but when ransomware developer simply scanned for vulnerable servers on the Internet, most of the ones that were discovered were at healthcare organizations.

Researchers explained “A lot of people in the healthcare industry—they set up websites in a kind of fire and forget fashion…They hire an IT guy, they get the billing system set up, hook it up to the website and then they never touch it again. That’s the perfect environment for this type of malware to thrive in because it’s not maintained. They have no full-time security staff and few if any fulltime administrators. As a result, the software just goes unpatched.”

Alex Rice, chief technology officer and co-founder of vulnerability disclosure portal provider said, “The reality is that almost every company that is transitioning into becoming an IT company, and every industry that is transitioning into [using more networked information technology], are really unprepared and ill-equipped to deal with the cyber challenges facing them.”

Healthcare organizations and medical device manufacturers don’t perform penetration testing or other regular risk assessments of their systems with any regularity, Rice noted.

Rice further explained that, some healthcare companies have set up private disclosure programs with HackerOne, so that security issues can be uncovered. Medical device manufacturers are being pushed by the FDA to patch long-neglected software. But the healthcare industry requires a significant change in approach, because these ransomware are focused on denying access rather than stealing patient data.

Source: Akati

Comments are closed.