S - Another hospital hit with "ransomware"

posted Apr 2, 2016, 6:26 AM by WECB640
An excerpt from "Security Now" show #553, recorded Tuesday, March 29th, 2016.

 So it was just a free fraudulent certificate mint that you could cause these guys to issue a certificate for any domain you wanted, just by jiggling the web form that they sent you so that it sent back an email with a different domain than they preloaded in the web page that you were then choosing which email address to send to. You couldn't choose the @domain.com. You could just choose the prefix account name. Except that it was all then sent back to the server and accepted, and so you could change that if you edited the HTML of the page they sent. So it was just trivial to bypass that, quote, "protection," unquote. Amazing.

So last week we have another hospital hit with ransomware. This one is called "Locky," which I hadn't heard before, L-O-C-K-Y. So this is a month after our coverage four weeks ago of the Hollywood Presbyterian Medical Center in L.A., which was crippled by crypto ransomware. And that was the - I'm drawing a blank. I didn't write it down. That was the one we've seen often that malicious adware has been dropping on people's machines. So now we have - I'm taking this out of order.

So now we have, sorry, a Methodist Hospital in Henderson, Kentucky initiated what they called an internal state of emergency and shut down its desktop computers and web-based systems in their effort to fight the spread of this Locky crypto ransomware after discovering an infection of its network. The hospital's IT staff posted a scrolling message at the top of the Methodist Hospital's website announcing that, quote, "Methodist Hospital is currently working in an internal state of emergency due to a computer virus that has limited our use of electronic web-based services. We are currently working to resolve this issue. Until then we will have limited access to web-based services and electronic communications."

The Methodist Hospital's information systems director told Brian Krebs, who was reporting on this, that the Locky malware, which came in as an attachment to a spam email, attempted to spread across the network after it had infected the computer it was triggered on. Locky has been known to use malicious scripts in Microsoft Office documents as a means of infecting victims' computers. The malware succeeded in infecting several other systems, prompting the hospital staff to shut down all the hospital's computers. Each PC is then being brought back online individually after being scanned for telltale signs of Locky while it's off the network.

Now, the good news of the story is that, for reasons that are not clear, maybe it's just sort of generic, the Locky guys only want four bitcoins in payment, which is about $1,600, which I consider a massive bargain. I mean, these guys are spending that per hour on IT, you know, emergency recovery procedures. And, for example, four weeks ago, after being down for 10 days, Hollywood Presbyterian had to pay a ransom of 40 bitcoin, which was about $17,000. And even that, you know, when you consider, I mean, I'm sure you know, Leo, all medicine is automated now. I mean, a hospital can't function without its IT infrastructure. And in fact they're literally reduced to writing on, like, stone tablets with chisels. It's just amazing.

Now, that was last week. Yesterday - there is a huge health system in Washington named MedStar Health, which operates 10 hospitals, more than 250 outpatient facilities throughout the Washington region, and has revenues of $5 billion annually. Hit with crypto ransomware. They have no access to their systems. The hospital staff in the reporting on this said they've had to revert to seldom-used paper charts and records. One employee who asked that her name not be used because she was not authorized to speak of the incident said, "Even the lowest level staff can't communicate with anyone. You can't schedule patients. You can't access records. You can't do anything." So they're completely crippled.

And, I mean, I don't mean to be taking this lightly. And it's not, I mean, it's a huge problem. And of course we predicted this years ago. The first time the concept of encrypting a drive and asking for payment appeared on this podcast, we said, oh, this is going to turn out really bad because suddenly there was a profit motive for these kinds of attacks. Until now, I mean, until then, viruses sort of existed just for their own sake, to propagate and roam around. And, well, and there were trojans that were taking over computers in order to commandeer their bandwidth for participation in DDoS attacks. And we see that still.

But now there's, I mean, this is a new deal, the idea that you could encrypt the network of a hospital and get $17,000 of payday out of them, that puts it into a different league. And these people have, you know, we could say yes, back up, back up, back up. It is challenging to keep a real-time backup of something as inherently dynamic as medical records and scheduling and patient history. I mean, the whole infrastructure of a statewide medical system is changing from instant to instant. So, I mean, yes, you certainly do need to have backups. But even that you wonder how current they would be because hopefully - I'm sure that any kind of certification these days requires some sorts of clear infrastructure guidelines. Yet it's also clear that someone clicking on a random piece of email can still bring the whole thing down.

Leo: Whew.