Ransomware attacks paralyze, and sometimes crush, hospitals

Major hospitals and some health clinics in the US and Australia have been crippled in new ransomware attacks, forcing some into emergency manual mode and one to close permanently due to extensive loss of patient healthcare records encrypted by data kidnappers.

In Australia, the toll is seven hospitals. According to an advisory issued on Tuesday by Victoria’s Department of Premier and Cabinet, a ransomware attack discovered on Monday has blocked access to several key systems, including financial management.

The hospitals and health services, which are located in Gippsland and south-west Victoria, have isolated a number of systems, taking them offline so as to quarantine the infection.

Isolating the systems has led to the shutdown of some patient record, booking and management systems, which may affect patient contact and scheduling. Where practical, some of the hospitals are reverting to manual systems to maintain patient services.

Loss of access to patient histories, charts, images and other information has forced the hospitals to rework bookings and scheduling so as to minimize disruption of service.

Meanwhile, in the US, three medical centers in western Alabama said this week that they’re not taking new patients due to a ransomware attack. According to a press release put out on Tuesday, elective procedures and surgeries scheduled for the next day – Wednesday, 2 October – would be going ahead as planned, with the centers running on “downtime” procedures that they say enable them to provide “safe and effective care” for those patients.

Current patients are staying put: they’re not being transferred to other medical centers. New admissions for critical cases are being diverted to other facilities, however. As for tests and other procedures, patients are being advised to call before they show up.

Encrypted to death

In related news, the crooks managed to kill one goose in the process of trying to get its golden eggs. A California medical practice that suffered a ransomware attack in early August announced on 18 September that patients’ personal healthcare data on both servers and backup hard drives were encrypted in the attack, and that it hasn’t been able to restore the records. As a result, it’s closing: the clinic will be out of business as of 17 December 2019.

There’s no sign yet that patient information was accessed, the center said, but it has notified patients and provided resources to assist them, including information about credit monitoring from credit reporting agencies and a toll-free call center to answer questions about the incident and related concerns.

What are they after?

The California medical center thinks that, possibly, it’s not the data the crooks were after. Rather, it’s just the cold, hard cash:

We believe it is likely the attacker only wanted money and not the information on our computers.

That could be wishful thinking, though, particularly given the data that was accessed:

While we have no reason to believe that anyone’s healthcare information was taken, the encrypted system contained electronic healthcare records which included patients’ names, addresses, dates of birth, medical insurance and related health information.

Medical records are valuable commodities on the dark web. Multiple studies have shown that healthcare is attacked more than any other industry, and it’s easy to see why: simply put, because that’s where the money is.

The profit can come through ransomware payments or by selling extremely profitable medical records.

According to account monitoring company LogDog, coveted Social Security Numbers were selling on the dark web for a measly $1 in 2016 – the same as a Facebook account. That pales in comparison with the asking price for medical data, which was selling for $50 and up.

Healthcare IT is just like every other kind, except it’s more critical. Lives are always at stake when it comes to access to healthcare IT, making the possibility of ransomware payments far more likely.

Responses

In Australia, the Victorian Government advisory said that Victoria Police and the Australian Cyber Security Centre are helping out the affected hospitals. The Victorian Cyber Incident Response Service – a service available 24/7 to respond to cyber-attacks on government computer systems – worked through the night to investigate the extent of server damage and to help the health centers respond to the attack.

As of Wednesday morning, the crook(s) who launched an attack on the medical centers in western Alabama hadn’t yet made a ransom demand.

A criminal is limiting our ability to use our computer systems in exchange for an as-yet unknown payment.

The centers didn’t say whether they’d pay up or not, but one assumes that the answer will be “go take a hike,” given that they’ve called in the Feds to work with their IT staff and that they’re working with vendors and consultants to restore their systems.

To pay or not to pay, that is the question

That’s always the question in a ransomware attack: Should an organization cough up the money? Or should it tough it out, knowing that lining the attackers’ pockets only encourages them to attack other mission-critical systems, be they at hospitals or government agencies? … and that paying is no guarantee that the crooks won’t come back to gouge away more?

There appears to be a growing trend for victims to tell attackers they’re not playing ball. That’s what the US Conference of Mayors did in July, crafting a resolution calling on cities to not pay ransom to cyberattackers.

It’s non-binding, of course. Sometimes, organizations – most particularly in the healthcare sector – feel that they have little choice but to pay up. That’s not a good place to be, and there are things that can and must be done to help keep them from getting stuck like that.

How to protect yourself from ransomware

• Pick strong passwords. And don’t re-use passwords, ever.
• Make regular backups. They could be your last line of defense against a six-figure ransom demand. Be sure to keep them offsite where attackers can’t find them.
• Patch early, patch often. Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.
• Lock down RDP. Criminal gangs exploit weak RDP credentials to launch targeted ransomware attacks. Turn off RDP if you don’t need it, and use rate limiting, 2FA or a VPN if you do.
• Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.

For information about how targeted ransomware attacks work and how to defeat them, check out the SophosLabs 2019 Threat Report.