lolloj - Fotolia
An outbreak of ransomware attacks have hit at least five U.S. and Canadian hospitals in the past two weeks, prompting renewed calls from experts to leverage automated backup to mitigate this type of attack.
"[T]his recent string of ransomware attacks targeted at hospitals proves that automated backup is no longer a nice to have, but a must for any professional organization," said Norman Guadagno, chief evangelist at Boston-based cloud backup firm Carbonite. "In light of the ransomware attack on Hollywood Presbyterian Hospital, it comes as no surprise that attackers are turning their attention to hospitals now. It's certainly not a coincidence."
Hospitals are not the only victims, according to Dmitri Alperovitch, co-founder and CTO at cybersecurity firm CrowdStrike in Irvine, Calif. "We've seen ransomware attacks across many industries, including healthcare, state and local governments, SMBs and large businesses," he said. "According to a Cyber Threat Alliance report, ransomware accounts for a total of approximately $325 million in damages. But, in reality, the numbers are likely much higher."
"[A]ny organization -- not just a hospital -- that has valuable business data readily accessible and has the financial resources to shell over a lot of money is a bull's eye for hackers," Guadagno said.
Hospitals hit by ransomware attacks
Hospitals suffering ransomware attacks have been in the news this week, just a month after February's ransomware attack on the Hollywood Presbyterian Medical Center in Los Angeles was resolved by the hospital paying a 40 Bitcoin ransom (approximately $17,000).
Norman Guadagnochief evangelist, Carbonite
Methodist Hospital in Henderson, Ky., was hit by a ransomware attack on March 18, and for five days operated under an "internal state of emergency" until they reported resolving the issue, without paying any ransom.
In California, two hospitals were reportedly hit by ransomware. Chino Valley Medical Center in Chino and Desert Valley Hospital in Victorville, both part of Ontario, Calif., hospital management company Prime Healthcare Services; a company spokesperson said that neither hospital had paid any ransom, and that no patient data was compromised.
In Canada's capital, four computers were reportedly disabled by a ransomware attack at Ottawa Hospital this week. The hospital was able to resolve the problem without paying ransom by isolating the systems, wiping the drives and restoring them from backups.
And in what some suspect may have been a ransomware attack, Ruby Memorial Hospital, a facility of the West Virginia University Hospital, was reported to have been hit by "malware or a virus," though a hospital official said that the attack did not target patient or employee data and there was no attempt to steal data. The exact nature of the attack was not specified, however.
Hospital website discovered spreading ransomware
In a switch, an Ontario hospital was reported this week to be spreading ransomware through its own website. Norfolk General Hospital, in Simcoe Ontario, was running a Web portal which "had been compromised to actually spread ransomware to its visitors," according to Jérôme Segura, senior security researcher at Santa Clara, Calif., antimalware firm Malwarebytes. Norfolk General Hospital was running Joomla CMS version 2.5.6; the latest version is 3.4.8.
"Several vulnerabilities exist for this outdated installation, which could explain why the site has been hacked," Segura wrote. "Our honey pots visited the hospital page and got infected with ransomware via the Angler exploit kit. A closer look at the packet capture revealed that malicious code leading to the exploit kit was injected directly into the site's source code itself."
Experts: Backup is key
"There really is no reason to not have current and tested backups of critical personal or business data," said Jim Treinen, vice president of security research at Denver-based cloud security firm, ProtectWise. "The lack of rigor around creating such backups has opened the doors for this malware to be a financial success. By creating valid backups, the need to pay the ransom is mitigated, and the financial motivation to write this type of malware is removed."
However, keeping ransomware out of the organization can be complicated. "Ransomware presents a challenging problem to overcome from a technology perspective," Alperovitch said, because encrypted files are nearly impossible to recover without a recovery key. Affected organizations face a difficult decision: pay the ransom or lose the data, he said. "In many cases, organizations opt to pay because downtime and data loss are more costly than the ransom itself."
"What's most concerning is that we are seeing a rapid uptick in the frequency of the attacks and the sophistication of the tools used by the adversaries," Alperovitch said. "Because of the unique nature of these attacks, it's important to have the ability to track indicators of attack [IoA] to detect the effects of what the malware is trying to accomplish. Monitoring your environment to identify IoAs is critical to stopping the adversaries before any damage is done."
Meanwhile, the ransomware problem is not going away. "This is likely not the last time we'll see a hospital targeted by ransomware attackers," Guadagno said.
Learn more about the growing ransomware threat.
Find out about techniques for avoiding ransomware attacks.
Read about how one IT professional dealt with the Cryptolocker virus.