Ransomware alert up in US, Canada: more details

Ransomware threats are now the subject of a joint alert in both the US and Canada, with at least 14 hospitals under attack on both sides of the border. Ten of the hospitals are part of MedStar in Maryland [TTA 26 March, updated], and as your Editors have noted, it’s not just hospitals but also Mac iOS under attack and now, reportedly, even police and cafes (Telegraph.ukNPR). $24 million was lost to ransomware in 2015 in the US alone, according to the FBI. Healthcare IT News reports a new variation called PowerWare which is delivered through MS Word documents, but goes further than Locky in mimicking legitimate files and activities without writing new files on the system, which makes it hard to detect. It invades PowerShell which is used by system admins for task automation and configuration management.

If you are catching up and want a useful overview, see Wired. The headline states the obvious, at least to this Editor. Hospitals and their often-flawed IT managed by overworked staffs are the perfect target for ransomware and multiple viruses as lives are at stake, not widget production. Like most malware and internet Bad Things, ransomware originated in Eastern Europe (where else?) back in 2005. Most attacks include instructions on how to access bitcoin, the untraceable payment method demanded by the hospital hostage-takers.

How to prevent or mitigate? NPR cites Peter Van Valkenburgh, director of research at Coin Center, a digital currency advocacy non-profit, that hospitals can take safeguards including HTTPS encryption, two-factor authentication and implementing file backups on a separate server.

Ransom! (ware) strikes more hospitals and Apple (update)–Healthcare.gov’s plus trouble

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]Get out the Ransom! California hospitals appear to be Top of the Pops for ransomware attacks, which lock down and encrypt information after someone opens a malicious link in email, making it inaccessible. After the well-publicized attack on Hollywood Presbyterian in February, this week two hospitals in the Inland Empire, Chino Valley Medical Center in Chino and Desert Valley Hospital in Victorville, both owned by Prime Healthcare Management, received demands. While hacked, neither hospital paid the ransom and no patient data was compromised according to hospital spokesmen. Additional hospitals earlier this month: Methodist Hospital in Henderson, Kentucky and Ottawa Hospital in Ontario, Canada. In Ottawa, four computers were hacked but isolated and wiped. It is not known if ‘Locky’, the moniker for a new ransomware, was the Canadian culprit. FBI on the case in the US. HealthcareITNews, National Post

Update: Locky is the suspected culprit in the Prime, Hollywood Presbyterian and Kentucky ransomware attacks. On Monday, Maryland-based MedStar Health reported malware had caused a shutdown of some systems at its hospitals in Baltimore. Separately, Cisco Talos Research is claiming that a number of the attacks are exploiting a vulnerability in a network server called JBoss using a ransomware dubbed SamSam. Perhaps both are creating mischief? Ars Technica, Cisco Talos blog, BBC News, ThreatPost

More and worse attacks north of the 49th Parallel. Norfolk General Hospital in Simcoe, Ontario had a ransomware attack this week that spread to computers of staff, patients and families via the external website through the outdated content management system. According to MalwareBytes, “The particular strain of ransomware dropped here is TeslaCrypt which demands $500 to recover your personal files it has encrypted. That payment doubles after a week.”  So if you are running old Joomla! or even old WordPress, update now! Neil Versel in MedCityNews

If you’re thinking Mac Prevents Attacks, the first ransomware targeting Apple OS X hit earlier this month. Mac users who  downloaded version 2.90 of Transmission, a data transfer program using BitTorrent, were infected. KeRanger appears after three days to demand one bitcoin (about $400) to a specific address to retrieve their files. HealthcareITNews

Finally, there is the Hackermania gift that keeps on giving: Healthcare.gov. (more…)

A Hollywood ending? Medical center’s $17,000 ransom to recover systems from hack attack

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]‘Hollywood’ Hulk Hogan is getting a workout! (UPDATED)

Hollywood Presbyterian Medical Center paid $17,000 (40 bitcoins) last night to hackers to regain control of its IT systems after last week’s ‘ransomware’ attack forced them offline. According to CEO Allen Stefanek, “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key.” HealthcareITNews has the details and the full CEO letter/press release, including that no patient or employee information appears to have been compromised.

Obviously there will be more to follow including the usual opining, but in this resolution and spin, a bad precedent has been set in this Editor’s view. Labeling it a ‘low-tech’ attack shines a Klieg light (this is Hollywood after all) on the vulnerability of this hospital’s system. They now have the decryption key to the malware, but what other bad code and general mischief is buried in their systems to crop up later?  Another question: was the inflated bitcoin number floated to make the paid ransom seem ‘affordable’? Is this a Hollywood ending where all is happy, or is this an episode in the continuing soap opera of ‘Hospital as Cash Machine’?

Our original article follows: (more…)